Thanks, but that doesn't appear to help. I am still getting the same error.

And your split DNS is setup properly? So Internal users/the other appliances are able to access the Gateway using the FQDN? Did you change the port to something but the default 443?

Yes, our split dns exists on the same AD infrastructure. It doesn't matter which zone I use, internal users can access both.

I also did not change the port. Everything is set at defaults.

Also, what is the intended use of the root CA file? Since I purchased my cert from a3rd Party CA, I don't se the need for this certificate, yet the manual says to install it on the load balancer.

Then I don't really have more ideas.. A good time to have a look in the logs, can you upload the configurator.log?

Thanks anyway. Hey, I loved your ThinApp book. Nice job.

Thanks! I'm glad you liked it.

I think I found the problem. In the configurator.log I found these entries:

I've seen this issue before where by on our Application Manager standalone instance Active Directory refused to sync because the insecure ports were disabled. Re-enabling the insecure ports fixed the AD sync issue, but in Horizon Workspace the Configure console menu opiton has been removed. I don't know how to manually enable the insecure ports.

@treverjackson

Are these the steps you performed?

1. Deploy vapp

2. Map both external hostname for vApp and internal gateway hostname to point to the same IP address (IP address of the gateway)

3. In the configurator console, specify FQDN as your external hostname for the vApp

4. Run the 4 steps described above to update the certs

5. Go to configurator web ui, and step through the wizard - fails on the db step.

Is this it? Is your environment as I am describing it? Did you do any other cert changes?

For step 2 no.

To be put behind our load balancer, namely an F5 LTM on v10.2.4 the load balancer requires its own virtual IP to accept connections on and then it chooses from a pool of destination IPs you've entered to spread the load across. The FQDN horizon.mycompanycorp.com maps to the virtual  ip 10.x.2.28 and the gateway itself has ip 10.x.2.91 with the name gateway-va.mycompany.local in dns pointing at 10.x.2.91.

This is the same type if setup we used for our standalone Application Manager environment.

@sravuri

I went back and rewatched the recorded webinar you and Arvind gave for the Beta. In it, you mentioned having to install the the public CA certificate on the gateway-va. I have installed it on the gateway as well but I am still seeing the error. Do you have any more suggestions?

While reading this thread I had the idea that you may misunderstand each other on what split DNS is.

As far as I understand, Split DNS means that 'horizon.mycorp.com' is resolved to some external IP in the internet, and to a local (rfc1918) IP in the LAN.

Having this as a DNS Setup, you setup the vApp _as well as the load balancer_ using the same FQDN (and as far as I know thats the only supported way for now).

I see what you're saying and I did try that. The issue then becomes the connector-va. In order for it to join the domain and use ThinApps with Workspace the connector-va has to have the same domain suffix as the domain that it will be joining.

I just had a con call with one of the developers of Workspace. They're going to be sending me directions to get around this. I'll post whatever I get back.

Hi all,

As I played in lab this week with the Horizon workspace, and I had some trouble for installing it, let me share with you what I found.

Here is my DNS configuration on my internal DNS server
configurator-va.mycompany.local    resolved from internal network with local IP 192.168.1.26
service-va.mycompany.local resolved from internal network with local IP 192.168.1.27
connector-va.mycompany.local resolved from internal network with local IP 192.168.1.28
data-va.mycompany.local resolved from internal network with local IP 192.168.1.29
gateway-va.mycompany.local resolved from internal network with local IP 192.168.1.30

The domain mycompany.com is managed outside.

FQDN for internet access is horizon.mycompany.com resolved from internet and from internal network with public IP.
I setup NAT routing, firewall rules  and reverse proxy (apache2) accordingly to redirect incoming https traffic to the "gateway-va" with IP 192.168.1.30.

During the installation on the configurator-va console, I was asked for the public FQDN, and I entered horizon.mycompany.com
So far so good.

I then launched the web configuration and during the database creation (local), I got the error  "Error creating admin user. peer not authenticated".
Well, I got stucked a while on that error message, until I created an entry on my internal DNS server for horizon.mycompany.com with the INTERNAL IP 192.168.1.30
That solved my issue.
Perhaps it may be usefull to be more explicit on these split DNS servers in the installation guide.

Please note also that, as I can't let the public entry horizon.mycompany.com on my internal DNS server with an internal IP (external domains SHOULD be managed from external DNS servers in my company), I had to remove this A-record quickly from my internal DNS server.
As a workaround, I add the line below in each /etc/hosts file of every Horizon Workspace virtual appliance :
192.168.1.30    horizon.mycompany.com
It seems to work for me, but this is only a workaround for my lab.

Hope this may help some people.

Regards,
Pierre

Hi,

do you guys have some new Information about using Horizon Workspace with split-dns. we have the same issue and i am not really sure how to configure the fqdn?

regards,

rob