VMware Workspace ONE Community
cdickerson75
Enthusiast
Enthusiast
‎07-31-2013 10:09 PM

Horizon 1.5 change FQDN

When going through the initial setup wizard and entering the FQDN I am getting "Invalid IDP host/port".  When I click on detail message says "Error when updating Connector with Federation IDP URL".  I have gone through a fresh install twice now, and always have this error.  the fqdn is fully resolvable.  Any ideas?  thanks

-Craig

29 Replies
admin
Immortal
Immortal
‎08-08-2013 12:14 PM

@Seb,

If you were taken back to edit page, it probably means everything went fine. Did you try accessing Horizon Workspace using the new FQDN?

Are you assuming here that something has failed and hence you looked into configurator logs.

~ Devang

0 Kudos
admin
Immortal
Immortal
‎08-08-2013 12:14 PM

Hi,

Please consider following as guidelines when configuring FQDN:

Scenario #1: Configuring with external load balancer.

Pre-requisites: The load balancer has appropriate certificates installed.

Steps:

1. Copy the Horizon Workspace RootCA on load balancer. RootCA can be accessed using the link available on FQDN/SSL page.

2. Configure the load balancer to forward requests to Gateway.

3. On the Configurator FQDN/SSL page,

   3.1 For "External Load Balancer", select YES option

   3.2 Provide the RootCA of your certificate that was installed on load balancer.

        Save. This should install the RootCA on all vm's and update FQDN.

Scenario #2: Configuring with splitDNS entries where FQDN and Gateway have same domain name.

Pre-requisites: You have custom wild card certificates.

Warning: Do not use "Auto Generate Certificate" option.

Steps:

1. On the Configurator FQDN/SSL page,

  1.1 For "External Load Balancer", select NO option

  1.2 For certificates section, select "Provide Custom" option

       Provide the wild card certificates and private key.

       Save. This should install the wild card certificate on Gateway and update FQDN.

If certificates expire, you can follow the above steps by entering new certificates. In this case, only certificates will be installed.

Scenario #3: Configuring with splitDNS entries where FQDN and Gateway have different domain names.

Follow the steps mentioned by Seb here http://communities.vmware.com/message/2274598#2274598

In this case, once you have installed Horizon Workspace, you can install your own certificates from Configurator FQDN/SSL page as:

On the Configurator FQDN/SSL page,

1. For "External Load Balancer", select NO option

2. For certificates section, select "Provide Custom" option

    Provide the wild card certificates and private key.

    Save. This should install the the certificates on Gateway and FQDN will remain same.

~ Devang

Seb1180
Enthusiast
Enthusiast
‎08-08-2013 12:37 PM

@Shahd,

to be honest no I haven t tried accessing it as I assumed that beeing taken back to the ssl - fqdn page where use external loadbalancer was still marked with no was meaning that something went wrong. Even after a refresh it remains with no. Will give it a try tomorrow morning.

Seb

0 Kudos
cdickerson75
Enthusiast
Enthusiast
‎08-08-2013 12:39 PM

Just wanted to add my two cents since I started this mess (thread). Smiley Happy

I too was able to use Seb's procedure and get my FQDN changed.  My load balancer setting is set to NO.  I have a HAProxy load balancer sitting in front of my gateway that has NO SSL certificates on it and it's directing traffic correctly.  I am getting ready to add a 2nd Gateway server.  One question I have, is how do you think I should setup the DNS A/PTR records for that 2nd gateway?  Thanks

-Craig

0 Kudos
cdickerson75
Enthusiast
Enthusiast
‎08-09-2013 06:54 AM

So decided to try this on my own, adding an additional gateway that is.  Here were my steps.

created dns a & ptr records for gateway-va.xxx.xxx

used Yast to change hostname on existing gateway VM to gateway-va.xxx.xxx (was my FQDN), rebooted gateway

on Configurator-va Admin UI noticed External Load Balancer auto changed itself to Yes  (NICE!)

created dns a & ptr records for gateway-va2.xxx.xxx

used "hznAdminTool addvm --type=GATEWAY --ip=x.x.x.x" on configurator-va VM

added 2nd gateway to load balancer

BOOM all is working perfect.  Hope this helps other people.

-Craig

Seb1180
Enthusiast
Enthusiast
‎08-09-2013 08:09 AM

Just did the same. Got it up in no time and all green.

Nice one Craig.

Seb


0 Kudos
caddo
Enthusiast
Enthusiast
‎08-14-2013 06:37 AM

I managed to both change certificates and external load balancer + FQDN.

In my test i managed to do it in 2 ways.

#1: Using the tip in this thread i used the fqdn i wanted as gateway-va name, then i changed the certificates as described in the documentation with no load balancer option, then i moved the workspace fqdn in my dns to point at the load balancer, i created new records in the dns for the gateway-va (gateway01.something.local) then using yast i renamed the gateway-va VM and rebooted. I then found the load balancer option already configured with valid certificate.

#2: From the start i pointed the workspace fqdn to the load balancer which was already configured with the cert i wanted to use; all workspace vm had their own entry in dns (gateway01, data01,.... etc). The load balancer redirects everything to the gateway-va. After completing the setup without changing anything regarding ssl and certs i went to change fqdn with load balancer and it all went good.

The reason why these procedures work and other don't is that when you change fqdn there is a check that verifies that the new fqdn has a certificate that matches the URL in the common name of the certificate, so it means this has to be taken care BEFORE you perform the change:

ERROR [tomcat-http--29] com.vmware.horizon.configurator.vm.remote.impl.ConnectorRemoteImpl - Error when updating Connector connector-15.vsphere.lab with new IDP Url. Response from server: "Hostname is invalid or not reachable". Could not connect to the URL. hostname in certificate didn't match: <gateway-15.vsphere.lab> != <workspace-15.myvirtualife.net>

This will throw the infamous "Invalid IDP host/port".

So, if you start with method #1 you already have it in place because it's generated during setup.

With method #2 you point at something else where you already applied a certificate with correct requirements.

Another way i tried was method #2 without load balancer where i would change the self-signed certificate with another sel-signed certificate with the new fqdn name i wanted before changing, just like i was describing in the 1.0 version in this blog post using the "wizardssl.hzn" command:

http://myvirtualife.net/2013/07/27/how-to-install-horizon-workspace-using-an-external-database/

This doesn't work because even if the new cert gets generated correctly there are still some urls (at least one) that shows the old cert and this makes the fqdn change fail.

In the coming days i will write an extensive tutorial about how to implement solution #1 and #2.

If you are interested subscribe to my blog to be notified when i publish it: http://myvirtualife.net

As load balancer i use haproxy with ssl offload, i will also post instruction about how to build that, just need some days since i'm still on holiday 😉

0 Kudos
caddo
Enthusiast
Enthusiast
‎08-16-2013 04:35 PM

I released the blog post, go check it out here:

How to deal with Horizon Workspace 1.5 FQDN and certificates | MyVirtuaLife.Net

0 Kudos
souhil
Enthusiast
Enthusiast
‎03-03-2014 06:09 PM

I'm having the exact same issue. I really need help with changing the FQDN. I'm using nginx as the load balancer and when I try to update the FQDN and upload the rootCA (Comodo), it's not working with the message "host cannot be reached. "

0 Kudos
Agryppa
Enthusiast
Enthusiast
‎05-26-2014 03:14 AM

Hi!

I was able to easily change the FQDN. The second method from the blog MyVirtualLife.net works without a problem.

@souhil "host cannot be reached" <-- no valid PTR in DNS !!!

Regards!

0 Kudos