If you’re sitting on Omnissa Unified Access Gateway (UAG) 23.12 with Workspace ONE Tunnel clients 24.05, you’re in a common (and totally reasonable) place: stable, known-good, and old enough that newer security defaults, platform support boundaries, and client behaviors can surprise you during an upgrade.
This post walks through:
• what actually changes across newer UAG generations,
• where compatibility issues tend to show up (spoiler: not always where you expect),
• and a clean upgrade path from 23.12 → latest UAG plus 24.05 → latest Tunnel clients with minimal user pain.
⸻
The moving pieces you’re upgrading
In a typical Workspace ONE Tunnel deployment with UAG, you’re juggling:
1. UAG appliance version (your “edge”)
2. Tunnel service configuration on UAG (and any related auth/cert/TLS posture)
3. Tunnel client versions (Windows/macOS/iOS/Android/ChromeOS/Linux) distributed via UEM
4. Profiles / payloads (per-app vs full-device, proxy rules, domains, certs, etc.)
When you change (1), you often implicitly change (2) — and that’s where upgrade “compatibility” breaks tend to live.
⸻
What’s “latest” right now (and why it matters)
Omnissa’s UAG release notes catalog shows newer trains beyond 23.12, including 24.12, 25.03, 25.06, and 25.06.1. 
On the Tunnel side, Omnissa’s documentation hub continues to publish frequent client updates across platforms (with 2025 updates for several clients). 
So your upgrade isn’t just “one hop.” You’re effectively moving across multiple release trains, which is why a staged approach works best.
⸻
Key compatibility “gotchas” when moving off UAG 23.12
1) UAG 23.12 introduced security posture changes that can surface during upgrades
Omnissa called out security enhancements “in UAG 2312 and beyond,” along with remediation guidance for older settings/configurations. 
Why it matters: if your 23.12 deployment was tuned around older TLS/cipher assumptions or legacy settings, later releases can tighten defaults further—turning what used to be “fine” into handshake/auth issues.
Practical takeaway: plan a validation pass specifically for:
• TLS/cert chain correctness (full chain, intermediates)
• any custom SSL profiles / ciphers
• SAML/IdP flows (especially with modern browser policies)
2) Platform support boundaries can force infra upgrades first (vSphere/ESXi)
A notable line that has tripped people up: UAG 24.12 release notes indicate it supports vSphere 7.x and later only, tied to an OS change in the appliance. 
Practical takeaway: before you pick a UAG target version, confirm your hypervisor version. If you’re still on vSphere 6.7, you’ll need to address that first (or choose an older UAG ceiling intentionally).
⸻
What changes when you move from Tunnel client 24.05 forward
iOS: 24.05 introduced Full-Device Tunnel mode (MDM enrolled)
Starting with Workspace ONE Tunnel for iOS 24.05, Omnissa introduced Full-Device Tunnel mode on MDM-enrolled devices. 
Even if you don’t enable it, that release boundary is important because it signals a more modern split between:
• per-app tunneling behaviors, and
• device-wide tunneling use cases
Windows: later 25.x updates include “action required” style changes
Omnissa published guidance noting that beginning with Tunnel for Windows client 25.08, Rapid DTR becomes enabled by default and a one-time in-app sync may be required. 
Practical takeaway: for Windows fleets, plan user communications and staged rollout rings, because a “one-time sync” prompt is the kind of thing that spikes helpdesk volume if everyone hits it on the same morning.
⸻
A sane upgrade strategy (that avoids the classic outage pattern)
Guiding principles
• Separate appliance upgrades from client upgrades (don’t change everything in one maintenance window).
• Prefer parallel build + cutover over in-place upgrades for major train jumps.
• Treat certificates + TLS settings as first-class migration objects, not “we’ll see if it works.”
⸻
Recommended upgrade path: UAG 23.12 → latest UAG (25.06/25.06.1) + Tunnel clients → latest
Phase 0 — Preflight checklist (do this before touching anything)
1. Confirm platform compatibility
• Hypervisor: if you want to go to newer UAG trains, verify you meet the vSphere requirements highlighted for later versions (e.g., UAG 24.12+ requiring vSphere 7+). 
2. Inventory your “edge contract”
• External URL/FQDNs, VIP/LB behavior, ports
• Cert chain + renewal process
• Auth method(s): SAML, RSA, RADIUS, cert auth, etc.
• Tunnel use cases: per-app vs (any) full-device, platform coverage
3. Document current Tunnel profile behaviors
• Split tunnel rules, domains, proxy PAC, bypass lists
• Any app-specific exceptions users rely on
⸻
Phase 1 — Get to a modern UAG without changing the client fleet yet
Goal: Stand up the target UAG version in parallel and prove it can serve your existing clients.
1. Select target UAG train
• “Latest” currently includes 25.03 / 25.06 / 25.06.1 listed by Omnissa’s UAG release notes hub. 
• If you have strict change control, pick the newest patch in the train you’re standardizing on.
2. Deploy new UAG(s) in parallel
• Same sizing, same network zones, same LB pattern
• Import/mirror config via your standard method (PowerShell/REST/UI), but do not re-use old mistakes blindly—this is where you clean up old TLS/cert shortcuts.
3. Connectivity validation with current clients (24.05)
• Start with a small pilot group on each platform
• Validate:
• app reachability
• auth flow consistency
• idle/reconnect behavior
• DNS resolution through the tunnel
4. Cutover
• Prefer DNS/LB cutover over changing each device
• Roll back by flipping VIP/DNS back if needed
⸻
Phase 2 — Upgrade Tunnel clients in rings (now that UAG is stable)
Goal: Move from 24.05 to current clients with predictable user impact.
1. Define rollout rings
• Ring 0: IT + a few power users
• Ring 1: one department / one region
• Ring 2: broad rollout
2. Platform-specific “watch items”
• iOS: decide whether you’ll use Full-Device Tunnel (introduced in 24.05) or stay per-app; ensure your profiles match that intent. 
• Windows: plan comms around potential one-time in-app sync / Rapid DTR behavior in newer versions (noted for 25.08). 
3. Update profiles only when needed
• If you keep the same tunneling mode and routing rules, you can often upgrade the app without reauthoring the profile.
• If you switch modes (per-app → full-device) treat it like a mini-project: pilot, measure, expand.
4. Observe and iterate
• Look for: auth retries, DNS oddities, app-specific failures, battery/perf complaints (mobile)
⸻
Migration “quality of life” tips that prevent 2am surprises
• Don’t skimp on cert chain correctness. Most mysterious “handshake” incidents are just missing intermediates or mismatched cert/key pairs.
• Keep one “known-good” UAG 23.12 instance temporarily (powered off but ready) if your environment allows it—rollback becomes far simpler.
• Upgrade your monitoring along with the edge. If your log parsing assumes old formats/paths, you’ll feel blind right when you need visibility.
• Stagger Windows updates more slowly than mobile. Windows client changes tend to have the most “interaction required” edge cases.
⸻
I
Joseph Klimczak 
You must be logged in to post a comment.