Thanks for your reply - I'm aware of the KB but that config is something I'd like to avoid - using wildcard certificates for desktops and configuring view to access agents via DNS name isn't really palatable - I'd just like to get 8.2 to behave in the same way 7.12 was in terms of connection server html5 tunnelling and F5 LTMs.

I saw the release notes, and admittedly reading 'the forwarding rules for HTTP requests.....have changed..' certainly seems relevant, but the frontServiceWhitelist config just disables the admin console on a connection server, it doesn't seem related to html5 blast tunnelling.

Sorry for the delay with this - I retried disabling this on the http client profile (the one the iApp creates), and also setting the client profile to 'none' on the LTM, but I still get the cert warnings.

Trying to follow up with F5 support now - will report back if I find anything useful.

Hi,

we tested it on our environment and it works for us!
We only had to switch "insert x-forwarded-for" to disabled (see the screenshot attached). No certificate issue anymore via html access.

But with these change we don't see the correct "ViewClient_Broker_Remote_IP_Address" anymore. 


I don't understand what VMware changed in this release why the html access ist not working as it was before.
I hope the F5 support can find something on your site. 

Look forwar to hear from you.

My bad!  Looks like someone disabled tunnelling on one of the connection servers in the pair in between testing.

Just went back to double check the config and it works!

Thanks to all involved.  Will reach out to F5 to see if they'll consider updating their iApp to reflect these changes - doesn't look like it's been updated in a while.

Reopening this for discussion if possible - while I follow up with F5 re: iApp configuration - anyone know from within VMware why disabling this feature would allow the connection servers to start correctly / selectively tunnelling for html5 again?  And why this is a change in Horizon 8.x ?

Not an expert, but I all I thought x-forwarded-for did was just send the client IP to the web server, for logging / auditing purposes etc.  Why would the connection servers break tunnelling if F5 sent this info?

Hi mrstorey303,

I had open a ticket by vmware SR 21229591306 but they weren't aware about any changes in Horizon 8 with HTML access.

I got this answer...

1, When horizon view connection server is in use for direction connection , Horizon view Client to VDI traffic is going through Horizon view server . As per vmware documentation, HTML gateway configuration will be works only when connecting directly to Horizon view connection server. On this scenario, Horizon view server presents certificate to view client.

2. When Traffic is using F5 , Horizon view html client should receive certificate from F5 and not from view VDI desktop.  Horizon view connection servers html gateway will not  be used when connecting to VDI using load balancer. We may need engage F5  support on issue to see , why horizon view client is not receiving certificate from F5 when VDI session using f5

------------------
Why does nobody else run in this issue after upgrading/installing Horizon 8?
I don't think that this is only an F5 loadbalancing issue.

I actually have this issue in Horizon 7.13.1 using iApp version 1.5.9.  The fix mentioned above also fixes the issue for me.  

Reply from F5 support:

re: x-forwarded-for:

- This is an application requirement and depends on the application itself. The BigIP unit only inserts the client's IP address as a header for the application to be aware of source of connectivity and requests.

re: why would disabling x-forward-for make a difference anyway?

- This is something that VMWare team will have to explain. Browsers identify themselves with "agent data", so application should have no problems identifying them as such.

re: are F5 going to fix / update the iApp

- If there is an issue with new Horizon version that needs to be fixed, VMWare will provide a fix/patch/workaround.

@wing523 - do you have any detail on why disabling x-forwarded-for is actually required for selective tunnelling to work on recent horizon versions?  Appears there is a bit of finger-pointed regarding why the issue occurs, and who's responsibility it is to fix.

Thanks

To further this - we're also finding that having x-forwarded-for enabled on the our F5 also prevents DEM smart policies from being able to detect the gateway location (ie internal / external).

This is preventing policy based cut / paste operations from working, ie we want 'internal' users to have inbound+outbound cut and paste, and disabled for external.

Anyone else seeing this?

Hi,

I have to check this in our environment.
But what I could see that the "ViewClient_Broker_Remote_IP_Address" is not our thinclient anymore. It's not always the load balancer IP.
I don't need at the moment a smart DEM policy to check internal/external access.

But everyone who is using VMware vIDM/Workspace should have trouble if they can't decide between internal an external access.

Maybe I will try to contact our VMware TAM. It's funny that VMware will not fix it and blames F5 for fixing the issue.

Hi,

we upgraded yesterday our enviroment from Horizon 2103 to 2111. 
Now the Horizon HTML access works via F5 loadbalancer and Connection Server tunneling without certificate issue anymore!

We changed nothing on the Loadbalancer. Thanks VMware for fixing it!