Lots of customers use VPN to access virtual desktops and apps instead of directly landing on an application proxy from the internet. One of them quizzed me on the merits and demerits of using VMware UAG versus Client VPN to access Horizon Desktops and Apps.
Before doing a compare and contrast, the following are what both UAG and Client VPN have in common:
- Provide remote access to Horizon apps and desktops hosted internally.
- Authenticates(additionally multi-factor) users before establishing a connection.
- Endpoint scanning capabilities to check for Windows Patch level, AV update and so on.
The following are the merits of UAG and a Client VPN like Cisco AnyConnect.
Merits and Demerits of VMware UAG versus VPN
|Security – Main difference is the Access Control is at the application layer and not at the network layer. Users access applications/desktops only and users’ network is not patched to the internal network like a Client VPN.||Extra Servers – UAG Servers need to be stood up in DMZ. If the customer already has an existing VPN solution, this could additional setup.|
|User Experience – While using VPN, user requires to do two steps to connect to Horizon apps and desktops.
1. Connect to Client VPN
2. Login to Horizon Client
If UAG is setup, users can directly access Horizon from internet using a public URL instead of logging in via a VPN.
|Teams – Often times, VDI teams could be different from network and security teams and it maybe cumbersome to go through the various approval processes to stand up UAG server in the DMZ.|
|Performance – Blast Extreme, PCoIP are UDP based protocols are secure by design and optimized for real-time traffic like audio and video. When these streams are encapsulated and forced into TCP packets by SSL VPNs, the performance can drop significantly.||Size of implementation – For small setups and certain user groups, it may still be okay not to have the most optimal and performant delivery methods.|
Hope the info helps!