VMware Horizon Community
tjbailey
Enthusiast
Enthusiast
‎05-16-2015 09:08 PM
Jump to solution

issue connecting via Blast when not using Blast Secure Gateway

We have a new View 6.1 environment up and everything works perfectly except when conecting via Blast.  On our internal Connection Servers the only way that I can successfully connect via Blast through a HTML 5 browser is by having the "Use Secure Tunnel connection to machine" and "Use Blast Secure Gateway for HTML access to machine" checkboxes checked.  When I uncheck them I receive the following error when attempting to connect to a pool:

Your desktop has been disconnected.

Attempting to reconnect to desktop...

Your desktop may have an untrusted security certificate. Click here to accept the security certificate, then try connecting to your desktop again.

Looking at the Connection Server debug log I see the following errors:

startSession failed, protocol error PROTOCOL_ERR_FAILURE

Error_Event:[BROKER_POOL_PROTOCOL_UNAVAILABLE] "Unable to launch from Pool ****** for user ******:  There were no machines available that reported protocol [BLAST] as ready": ProtocolId=[BLAST], SessionType=DESKTOP, Module=Broker, UserDisplayName=*******

User ****** could not be connected to existing session for launch item ******* does not support protocols [BLAST]: The requested protocol is unavailable at this time

Application launch failed, exception was: The display protocol for this desktop is currently not available. [NAME=BLAST, ERROR-CODE=PROTOCOL_ERR_FAILURE]

The "VMware Blast" service is running within the VM's in the pool and when I check those two boxes within the Connection Server configuration I'm able to successfully connect via the Blast protocol.

Anyone have any thoughts?

1 Solution

Accepted Solutions
pchapman
Hot Shot
Hot Shot
‎09-23-2017 04:02 PM
Jump to solution

Yea, you're on the right track.  If you want to connect with blast secure gateway disabled on the connection server (which is required when using access point/uag instead of security server), you need to set horizon up to connect via dns name instead of IP (ADSI edit setting) as well as place a wildcard cert on each of the desktops and bind it to the blast service.  It's a pain in the butt, but has to be done..

View solution in original post

0 Kudos
12 Replies
lirick
VMware Employee
VMware Employee
‎05-29-2015 12:08 AM
Jump to solution

Try to configure certificate for your agent desktop by following guide.

0 Kudos
pricemc1
Enthusiast
Enthusiast
‎06-12-2015 08:00 AM
Jump to solution

Thanks for that utterly useless reply. Any chance you could list the document and page number for the section you are referring to or put in a link to it since all the documentation is online? Even better, maybe describe what you think the issue is and then reference the doc section or describe the fix directly, saving everyone the time of having to guess what you mean?

lmoglie
Enthusiast
Enthusiast
‎07-07-2015 12:57 AM
Jump to solution

Same issue here, any suggestion from VMware? It happened after that I have upgrade VMware View 5.2 to Horizon 6.1

0 Kudos
SpKSE
Contributor
Contributor
‎07-22-2015 01:20 PM
Jump to solution

Looking for an update on this issue. Has anyone been able to resolve?

0 Kudos
lirick
VMware Employee
VMware Employee
‎07-24-2015 01:10 AM
Jump to solution

Oh, looks like my reply is too simple, don't worry, let me say something more about it.

With Blast Secure Gateway(BSG) disabled, you will connect to your agent desktop directly by pass Connection server, that is:

BSG enabled: Client -> Connection Server- > Agent desktop, in this path, your server certification will be used.

BSG disabled: Client -> Agent desktop, you will be connect to agent desktop, the certificate for agent will be used, you can't connect to agent desktop with BSG disabled should because you didn't configure agent desktop to use certificate.

You can refer to page 13 in below guide with a very detailed guide, section: Configure HTML Access Agents to Use New SSL Certificates

https://www.vmware.com/pdf/horizon-view/horizon-html-access-3x-document.pdf

Hope it helps.

0 Kudos
pricemc1
Enthusiast
Enthusiast
‎08-16-2015 07:33 AM
Jump to solution

Thanks. A much more concise, educational, and useful reply.  Smiley Happy.

0 Kudos
elgwhoppo
Hot Shot
Hot Shot
‎08-17-2015 05:50 AM
Jump to solution

I'm also getting this message, except when using the BSG on a security server from outside with 6.1.1. The BSG gateway certificate is signed properly and functioning. The blast component is installed as a feature of the 6.1.1.2769635 View agent.

The error message would lead me to believe the self signed certificate on the desktop is not being accepted, but not sure why that should matter when connecting from outside which should be tunneled through the BSG.

Blast_Cert.jpg

VCDX-Desktop
0 Kudos
erickbm
Enthusiast
Enthusiast
‎08-18-2015 07:40 AM
Jump to solution

I was able to resolve this by following this KB:  http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=205664...

I know its not the same error, but clearing the SslHash entry and restarting the VMware Blast service fixed it for me.

Erick Marshall vExpert 15/16, VCAP-DTA, VCPx3, MCSE, MCITPx2, MCSAx2, MCTSx3, MCPx2, A+, Network+, UCP
0 Kudos
tjbailey
Enthusiast
Enthusiast
‎09-22-2017 06:26 PM
Jump to solution

I know this is a really old article, but I think I'm on to something.  We're in the process of migrating to Horizon View 7.2 (maybe .3 yet I'm a little leery of being so bleeding edge) and still have this issue even in a completely new View environment.  I have a ticket opened with VMware because I really don't want to continue this way in our new environment, but I found this:

When connecting to a View virtual machine using Blast, SSL Session is invalid (2088354) | VMware KB

When accessing via Chrome I'm prompted whether I want to trust the site (IP address of the VDI session on port 22443) before going through (and ultimately failing to connect).  I'll keep updating on our new findings in hoping to find a solution this time.

0 Kudos
pchapman
Hot Shot
Hot Shot
‎09-23-2017 04:02 PM
Jump to solution

Yea, you're on the right track.  If you want to connect with blast secure gateway disabled on the connection server (which is required when using access point/uag instead of security server), you need to set horizon up to connect via dns name instead of IP (ADSI edit setting) as well as place a wildcard cert on each of the desktops and bind it to the blast service.  It's a pain in the butt, but has to be done..

0 Kudos
tjbailey
Enthusiast
Enthusiast
‎09-29-2017 07:36 PM
Jump to solution

Yep, that was indeed it.  Added the wildcard cert to the gold image following page 13 of this document:

https://www.vmware.com/pdf/horizon-view/horizon-html-access-3x-document.pdf

We then made the change via ADSI edit via these instructions:

https://pubs.vmware.com/horizon-7-view/index.jsp?topic=%2Fcom.vmware.horizon-view.installation.doc%2...

Deployed the new image and we're all set in our 7.2 environment (at least for internal access...still working on the external access issues through UAG).  Unfortunately VMware support was little to no help with this.

0 Kudos
pchapman
Hot Shot
Hot Shot
‎09-29-2017 08:02 PM
Jump to solution

What issues are you having with the UAG?

0 Kudos