VMware Horizon Community
fdaille
Contributor
Contributor
‎05-10-2023 08:38 AM
Jump to solution

Certificates issue with UAG

Hello,

I recently deployed two UAGs and a load-balancer to connect to my Horizon infrastructure like this:

fdaille_0-1683732567122.png

I have correctly generated the different certificates for my load-balancer (NGINX) as well as the 2 UAGs and this does not cause any problems when connecting from HTML Access.

fdaille_1-1683732692883.png

 

My problem occurs when I try to connect from the Horizon client. I get a certificate error (sorry my client is in French):

fdaille_3-1683732834186.png

It says, "View Connection Server authentication failed. The tunnel server ap resented a certificate that does not match the expected certificate. Contact the View administrator."

I have found that I can get around this problem by changing the client security settings when I add the ability for the client to check the PKI of the certificate instead of the thumbprint. As soon as I check the thumbprint, it gives me the error.

fdaille_4-1683732985531.png

fdaille_5-1683733121749.png

 

Do you have a solution for my problem?

I thank you in advance!

Regards,

 

Reply
0 Kudos
2 Solutions

Accepted Solutions
vDruid
Enthusiast
Enthusiast
‎05-11-2023 05:55 AM
Jump to solution

Thanks, on UAG, this setting of tunnel is only used for RDP, USB, and multimedia redirection (MMR) traffic.

I would disable it as it could bring issues with nginx who acts as a reverse proxy and would presents its own certificate rather that the UAG one. And this tunnel setting is not used for HTML Access this can be why HTML works fine.


// if you think this helps, please mark as helpful or correct , thx ! \\
vDruid

View solution in original post

Reply
0 Kudos
fabio1975
Commander
Commander
‎05-11-2023 05:59 AM
Jump to solution

Ciao 

I suggest using the same certificate for the UAGs and LB.

 

Fabio 

Fabio

Visit vmvirtual.blog
If you're satisfied give me a kudos

View solution in original post

Reply
0 Kudos
8 Replies
fabio1975
Commander
Commander
‎05-11-2023 03:18 AM
Jump to solution

Ciao 

HI
from your description of the problem you indicate that on the UAG and on the NGINX LB you have installed different certificates. Instead, they should be the same (e.g. the same wildcard certificate).
Can you post the nginx .conf file?

Fabio

Visit vmvirtual.blog
If you're satisfied give me a kudos

Reply
0 Kudos
fdaille
Contributor
Contributor
‎05-11-2023 05:27 AM
Jump to solution

Hi, thanks for your answer.

Yes I currently have generated 3 different certificates: one for LB, one for UAG #1 and one for UAG #2

Here is an extract from my nginx.conf:

stream {
    upstream vdi_ssl {
        hash $remote_addr;
        server uag-1.example.com:443;
        server uag-2.example.com:443;
    }

    server {
        listen vdi.example.com:443 ssl;

        ssl_certificate /etc/ssl/vdi.example.com.pem;
        ssl_certificate_key /etc/ssl/vdi.example.com.key;
        ssl_preread on;

        proxy_pass vdi_ssl;
        proxy_ssl on;
        proxy_ssl_protocols TLSv1.2;
        proxy_ssl_session_reuse on;
        proxy_ssl_certificate /etc/ssl/vdi.example.com.pem;
        proxy_ssl_certificate_key /etc/ssl/vdi.example.com.key;
        proxy_timeout 20m;
    }
}

Thanks in advance :winking_face:

Regards,

Faustin

Reply
0 Kudos
vDruid
Enthusiast
Enthusiast
‎05-11-2023 05:33 AM
Jump to solution

Hi,

Have you activated the tunnel in the CS configuration ?

Can you share a screenshot of your connection server settings in Horizon console ?


// if you think this helps, please mark as helpful or correct , thx ! \\
vDruid
Reply
0 Kudos
fdaille
Contributor
Contributor
‎05-11-2023 05:44 AM
Jump to solution

Hi,

The tunnel is not activated at the CS but at the UAG level.

Here are the settings:

fdaille_0-1683809025363.png

Regards,

Faustin

Reply
0 Kudos
vDruid
Enthusiast
Enthusiast
‎05-11-2023 05:55 AM
Jump to solution

Thanks, on UAG, this setting of tunnel is only used for RDP, USB, and multimedia redirection (MMR) traffic.

I would disable it as it could bring issues with nginx who acts as a reverse proxy and would presents its own certificate rather that the UAG one. And this tunnel setting is not used for HTML Access this can be why HTML works fine.


// if you think this helps, please mark as helpful or correct , thx ! \\
vDruid
Reply
0 Kudos
fabio1975
Commander
Commander
‎05-11-2023 05:59 AM
Jump to solution

Ciao 

I suggest using the same certificate for the UAGs and LB.

 

Fabio 

Fabio

Visit vmvirtual.blog
If you're satisfied give me a kudos

Reply
0 Kudos
fdaille
Contributor
Contributor
‎05-15-2023 05:05 AM
Jump to solution

Hi, thanks for your message.

I just disabled the tunnel and it seemed to work so far. But the problem persists: I don't get any message when I connect to the server but as soon as I want to connect to a virtual machine the connection is interrupted. I tried to switch back to PKI certification and it works.

Do you have an idea ?

 

It says "Failed to load" & "Connection to remote computer ended."

fdaille_0-1684152241139.png

Thanks in advance.

Regards,

 

 

Reply
0 Kudos
fdaille
Contributor
Contributor
‎05-15-2023 05:18 AM
Jump to solution

Hello, I just tried to use the same certificate for the UAGs (only internet interface) and the LB and it finally works correctly! Your two answers @vDruid  &  @fabio1975  helped me to get something working. Thanks a lot!

Have a nice day!

Regards,

Reply