VMware Horizon Community
MikeNox
Enthusiast
Enthusiast
Jump to solution

Certificate issue connecting to VDI.

in a new horizon 7.5 deployment, we have configured load-balanced UAGs for external access pointing to load-balanced connection servers.  All the certs seem to be in place.  I am using split dns, with external pointing at the UAG's, internal pointing at the connection servers.

From external, there are no certificate errors when connecting using the view client or html.  Everything works as expected.

From internal, there are no certificate errors when using the view client.

From internal when using html there are no certificate errors until the deskop is selected.  On initial connection to the vdi it shows the vdi's ip address port 22443.  Since there is no certificate with matching the ip address, there is a certificate error, which can be accepted.  After acceptance, the url flips back to the connection server load-balanced URL (what the user used to connect to horizon) and the cert is accepted.

pastedImage_5.png

I'm wondering if it is because on the horizon connection server, View Configuration, Servers, Connection Servers, Edit, General Tab, to use the UAG with reverse proxy, I need to uncheck all the external URL boxes.

This issue goes away if I point the internal (of the split DNS) to the internal ip of the UAG Load-balancer but I am concerned about traffic and sending internal traffic to the dmz to come back in.

All certs used are public and there is no internal CA.

Tags (2)
Reply
0 Kudos
1 Solution

Accepted Solutions
BenFB
Virtuoso
Virtuoso
Jump to solution

The issue is that the self-signed HTML Access cert that is generated when the Horizon Agent is installed is being presented to the client. I know of three ways to solve this.

  1. Send all internal users to the UAG where the Blast Secure Gateway (BSG) on the UAG will proxy the connection.
  2. Stand up another set of connection servers just for internal access with the BSG enabled (A UAG cannot be pointed to these).
  3. Replace the certificates on each machine with the Horizon Agent installed.

Configure HTML Access Agents to Use New TLS Certificates

When connecting to a View virtual machine using Blast, SSL Session is invalid (2088354)

View solution in original post

4 Replies
BenFB
Virtuoso
Virtuoso
Jump to solution

The issue is that the self-signed HTML Access cert that is generated when the Horizon Agent is installed is being presented to the client. I know of three ways to solve this.

  1. Send all internal users to the UAG where the Blast Secure Gateway (BSG) on the UAG will proxy the connection.
  2. Stand up another set of connection servers just for internal access with the BSG enabled (A UAG cannot be pointed to these).
  3. Replace the certificates on each machine with the Horizon Agent installed.

Configure HTML Access Agents to Use New TLS Certificates

When connecting to a View virtual machine using Blast, SSL Session is invalid (2088354)

MikeNox
Enthusiast
Enthusiast
Jump to solution

Thanks, that is what I suspected was going to be the response.  Unfortunately, a wildcard is not really an option, so that leaves dedicated Connection servers or put everyone through the UAG's.

Thanks again.

Reply
0 Kudos
BobbyST
Contributor
Contributor
Jump to solution

Set the Certificate Thumbprint in the Windows Registry To allow the VMware Horizon HTML Access Agent to use a CA-signed certificate that was imported to the Windows certificate store, configure the certificate thumbprint in a Windows registry key. Use this step on each desktop on which you replace the default certificate with a CA-signed certificate. Prerequisites: Verify that the CA-signed certificate is imported into the Windows certificate store. See, Import a Certificate for the VMware Horizon HTML Access Agent into the Windows Certificate Store. Procedure: In the MMC window on the Horizon View desktop where the VMware Horizon HTML Access Agent is installed, navigate to the Certificates (Local Computer) > Personal > Certificates folder. Double-click the CA-signed certificate that is imported into the Windows certificate store. In the certificates dialog box, click the Details tab, scroll down, and select the Thumbprint icon. Copy the selected thumbprint to a text file. For example: 31 2a 32 50 1a 0b 34 b1 65 46 13 a8 0a 5e f7 43 6e a9 2c 3e Note: When you copy the thumbprint, do not include the leading space. If you inadvertently paste the leading space with the thumbprint into the registry key in Step 7, the certificate might not be configured successfully. This problem can occur even though the leading space is not displayed in the registry value text box. Start the Windows Registry Editor on the desktop where the VMware Horizon HTML Access Agent is installed. Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Blast\Config registry key. Modify the SslHash value and paste the certificate thumbprint into the text box. Restart the VMware Blast service to make your changes take effect. Note: In the Windows guest operating system, the service for the VMware Horizon HTML Access Agent is called VMware Blast. When a user connects to a desktop through VMware Horizon HTML Access, the VMware Horizon HTML Access Agent presents the CA-signed certificate to the user's browser.
Reply
0 Kudos
ahmadi832
Contributor
Contributor
Jump to solution

not solved with your solutions!!

Reply
0 Kudos