Recently in my lab I deployed VMware Horizon 7, and I wanted to test out the Unified Access Gateway (previously known as the EUC Access Point) for internet accessibility.

I followed various guides (such as Carl’s guide) to deploy the UAG, but I wanted to do something about the TLS certificate. The Horizon clients specifically make it difficult to work with self-signed certificates, so naturally I wanted to use a certificate from Let’s Encrypt.

Unfortunately I couldn’t work out how to get a client running directly on the UAG appliance. Certbot doesn’t recognise the platform (it’s SUSE Enterprise Linux 12), so I thought of trying acme-tiny. Sadly I couldn’t locate an appropriate directory that the UAG would actually serve at the top of the domain, so neither option was feasible.

I did notice when going through Carl’s guide that there is a reverse proxy configuration option for the UAG. I decided to go down this route instead.

Under the Horizon settings in the UAG configuration page, there is a Proxy Pattern field, which I had already populated as per Carl’s guide, but now I added the directory for Lets Encrypt http challenges, making the total string

As per this screenshot:

This meant that the UAG would pass any http requests along to the View Connection Server, in my case running on Windows 2012r2.  From there it is pretty easy.   Create the http challenge folder in the following path (tip for creating the well-known folder – put a leading and trailing period when typing the name, Windows will automatically strip the trailing period).

To actually handle the http challenge, I used the manual http handler in ACMESharp, as per method #2 in the quick-start guide, creating the challenge file manually in notepad with the information provided.

Hopefully you find this information useful when deploying the UAG for yourself.