epa80
Hot Shot
Hot Shot

Horizon HTML Landing Page - All White

We recently upgraded to Horizon 7.8 and are trying to implement HTML access for the first time. We're an F5 shop for load balancing, and seem to be running into a problem when going through the load balanced address. In a nutshell:

We have two 3.6 UAGs in our DMZ. They are under a load balancer. The UAGs are each pointed at a secure network load ba;ancer address that has our connection servers behind it. In terms of brokering with the Horizon client, we have no issues. Works fine. However, when we point our browsers (tried Chrome and Firefox) at the UAG load balancer, we get to this page fine:

pastedImage_0.png

However, as soon as we click "VMware Horizon HTML Access", we progress to a page that is all white. That's it. No error, nothing, just a blank white web page. If I point my browser directly at each UAG, I get the same behavior. If I bypass the UAG, point directly at the brokers, I get expected behavior: I can login and get a VM.

The UAG radio button for allowing HTML access is indeed set. We also modified the Locked.Properties file a bunch of different ways using these 2 KBs, but, without luck. We're a bit stuck for now. Hoping someone has seen something similar.

Allow HTML Access Through a Load Balancer

Allow HTML Access Through a Gateway

32 Replies
epa80
Hot Shot
Hot Shot

Our 1st fix attempt didn't pan out. We discovered that 443 was opened between the UAGs in the DMZ and the Brokers in the secure network, but only via their load balancer, not the individual brokers. We had the firewall team open it to all the brokers, which they did, yet the issue remains. Looking now for a different solution.

One new update: we found that the behavior has a slight alteration. When we click "VMware Horizon HTML Access" and get to that blank page, it isn't PERMANENT. It actually eventually does get to the login page, it just takes minutes to do so (I've seen up to 10 as low as 6). I'm wondering if we could have a routing issue.

0 Kudos
ap_idb
Enthusiast
Enthusiast

Do you have your static routes correct? This could be a dumb question, as you would need to have that to route to your Horizon Connection Servers. HTML Blast needs more ports though, try this:

Firewall Rules for HTML Access

0 Kudos
epa80
Hot Shot
Hot Shot

We think we found the issue. There's a faulty health check out on the F5s that we think needs to be resolved. We're looking to modify it Tuesday, tomorrow, and test it again. We're pointing load balancers at load balancers at load balancers and one is being marked down erroneously. Almost positive this will end up being it.

I'll update the thread with the results.

0 Kudos
krogerkiran
Contributor
Contributor

I had the same landing page - all white issue and i was waiting for the quick update to resolve this issue very soon.

Thanks in advance.

Kroger Kiran - Krogerfeedback

0 Kudos
epa80
Hot Shot
Hot Shot

Unfortunately we were mistaken. We had our F5 guy change the health check to actually make it show as up, eliminating the possibility that F5 marking it down was causing the hang up, but, no luck. We still had the issue.

We're still looking into it.

0 Kudos
BeeBop
Contributor
Contributor

epa80​ Did you ever find a resolution to this?

We're having the same problem. Same F5 config with UAGs and Connection Servers behind VIPs.

0 Kudos
rgriffin47
Contributor
Contributor

Same as the other user, did you ever figure out a solution to this? We have been bashing our heads against this exact same scenario.

0 Kudos
BeeBop
Contributor
Contributor

Still bashing our heads over here.

I've isolated it do a specific issue between passing traffic to the F5 Connection Server VIP from the UAG. If I pass traffic directly from the UAG to the Connection server, everything works fine.

0 Kudos
epa80
Hot Shot
Hot Shot

I hate to say it but no, we haven't resolved it yet. We know it has something to do with our F5 config, but, we haven't had time to really dig back into it. We have an upgrade coming soon to go to Horizon 7.10 or 7.11 where we plan to build new F5 LBs, and I plan to have this working right out of the gate. I can update the thread then.

0 Kudos
sjesse
Leadership
Leadership

Review this if you haven't seen it

DevCentral

there is a link to a pdf as well as the way f5 would configure it. For alot of people its the orgincheck that breaks things.

0 Kudos
markbenson
VMware Employee
VMware Employee

Look in the Connection Server debug log file and search for the word "origin". If you see errors relating to origin checks then you can fix it with the update to locked.properties.

0 Kudos
rgriffin47
Contributor
Contributor

Yes, that was one of the first things we hit upon. We have origin checks disabled on both connection servers but still have this issue. I'm all but positive it has something to do with how the F5 is handling the connections, because if I target the UAG(s) directly HTML access works just fine (if it was origin related, I would expect the connection server to still not like it).

0 Kudos
jonathanjabez
Hot Shot
Hot Shot

  1. Create or edit the locked.properties file in the SSL gateway configuration folder on the Connection Server or security server host.For example: install_directory\VMware\VMware View\Server\sslgateway\conf\locked.properties
  2. Add the balancedHost property and set it to the address of the load balancer.For example, if users type https://view.example.com in a browser to reach any of the load-balanced Horizon 7 servers, add balancedHost=view.example.com to the locked.properties file.
  3. Save the locked.properties file.
  4. Restart the Connection Server service or security server service to make your changes take effect.
0 Kudos
sjesse
Leadership
Leadership

He's already done this, its one of the links he has in the original post, its the same one you copied this from.

0 Kudos
sjesse
Leadership
Leadership

What f5 os are you using, I just stood up a 7.10 environment behind our f5 loadbalanacers and I'm not seeing this. Its why I shared the link from before, we followed that to the letter and so far haven't found any issues.

0 Kudos
jonathanjabez
Hot Shot
Hot Shot

Sorry Sjesse. I didn't notice it properly. But we had a similar issue in one of the VDI implementations and resolved the issue by adding balancedHost parameter with the Load Balancer FQDN in locked.properties file.

0 Kudos
markbenson
VMware Employee
VMware Employee

Look in the Connection Server debug log file and search for the word "origin". Do you see any entries?

0 Kudos
g0dMAn
Enthusiast
Enthusiast

FYI, I've been having this same issue, no load balancer.

My setup is quite simple:

Single UAG 3.8 in a DMZ (no NAT, using external IP) connecting to a single Horizon Conn Server 7.11.

All protocols work with the Horizon client, but if you visit the URL externally from a browser, here are the results:

- Firefox = white page

- Edge = white page

- Chrome = This url.domain.com page can't be found (HTTP ERROR 404)

- Internet Explorer = The webpage cannot be found

If I go direct to the conn server, browser HTML works just fine.

I have tried the checkOrigin, and the two other settings in locked.properties to no avail. Each time I change the locked.properties file I do a conn server restart.

Aaron11211
Contributor
Contributor

This fix worked for me:

Create a new iRule one the F5 called Horizon_Origin_Remove

########################################

when HTTP_REQUEST {

if { [HTTP::header "Origin"] ne "" } {

HTTP::header remove "Origin"

}

}

########################################

Apply the iRule to the external iAPP for the UAG's in the iApp Configuration Screen iRules Section.

Verify on your firewall the following ports are open to the F5 VIP hosting your UAG's

Port 80 TCP

Port 443  TCP AND UDP

Port 4172 TCP AND UDP

Port 8443 TCP AND UDP

I was having issues with the Grey / White Blank Screen not showing the user login prompt when port UDP 443 is not open.

0 Kudos