Re: Replace default certificate used by HTML Acces...

VirtualSven · ‎12-04-2014

When I want to use HTML5 access to virtual desktops, I have the option to tunnel the HTML5 traffic through a connection server or security server or I have the option to allow HTML5 access directly to the desktop. When I tunnel the traffic, the certificate is used from the connection server or security server, but when I don't want to tunnel the traffic, a self signed certificate is used to secure the connection to the desktop. The user is getting a message that the connection is untrusted (because of the self signed certificate). If I read this: http://www.vmware.com/pdf/horizon-view/horizon-html-access-document.pdf it says I can replace the self signed certificate, but I need to replace it on each desktop individually! This means I can't replace the certificate in the golden-image, which I use to create the linked-clones. Is there a way to automate the replacement of the self-signed certificate for HTML5 Access, or can/should I use a wildcard certificate in the golden-image?

Sven Huisman VMware vExpert 2009-2016 Twitter: @svenh blog: svenhuisman.com

Gaurav_Baghla · ‎12-04-2014

Wildcard Should be a better Option as the Certificates get issued to the Computer and using it on the parent might not help.Wildcard is a good approach

Regards Gaurav Baghla Opinions are my own and not the views of my employer. https://twitter.com/garry_14

BGulentz · ‎12-09-2014

Hello,

i had the same problem. I changed the certificate on some VM's issued by our PKI. But.... if i connect to the Desktop i see that the URL for the connection contains the IP-Address from the VM and so i get an certifcate error because the certificate was issued to the machinename. So i think certificates issued with wildcards does not work for you.

Please let me know if i am wrong.

Thank you

Gaurav_Baghla · ‎12-10-2014

Any Dns Issues ??

Regards Gaurav Baghla Opinions are my own and not the views of my employer. https://twitter.com/garry_14

pricemc1 · ‎06-12-2015

I believe you are correct that the Blast connection is made using the IP address assigned to the View Desktop. When I looked at the URL, it seems to attempt to use the IP Address. I was just curious if anyone has managed to find a work around that tells it to use the DNS name instead?

pricemc1 · ‎06-12-2015

Right after adding to this thread asking about this, I noticed there is a GPO setting ""Connect using DNS Name" that can be applied to force the Blast connection to use DNS instead of IP. With that being said, a wildcard cert added to the linked clone source VM and configured to be used for Blast should work.

Reference the following KB for information on the GPO:

VMware KB: When connecting to a View virtual machine using Blast, SSL Session is invalid

Reference the Horizon HTML Access docs for information on how to change the cert on the linked clone source VM. (Section titled: Configure HTML Access Agents to Use New SSL Certificates)

https://www.vmware.com/pdf/horizon-view/horizon-html-access-document.pdf

If you are using View 6.1 (as I am) then you have to do this differently because that GPO setting has been removed. Reference the bottom of the page on following online 6.1 doc:

View Agent Configuration ADM Template Settings

Exact procedure listed here:

Give Preference to DNS Names When View Connection Server Returns Address Information

I haven't tried this myself yet but I will in the next few days and try to report my results.

chucks0 · ‎08-05-2015

This setting does not appear to have any impact on how the HTML Access client connects. The web browser still attempts to connect to the VM using an IP address rather than DNS name. I have a ticket open with VMware on this issue, but haven't made any progress.

mkowins · ‎08-07-2015

I'm looking into this as well. Any updates from support?

All

Replace default certificate used by HTML Access agent