chrischay
Contributor
Contributor

SSL Thumbprint for View Connection Server Behind Load Balancer

Hi All,

I am new to VDI and this is my first Horizon Deployment.

My setup is that I have two Unified Access Gateways in the DMZ pointing to a back-end Load Balancer in my internal network and then two View Connection Servers behind my back-end Load Balancer. When I connect to a load balanced FQDN sometimes it shows me the thumbprint of my View Connection Server #1 and sometimes it will shows me the thumbprint of my View Connection Server #2. All of them have SSL certificates issued using my internal CA. So my question is which Connection Server URL Thumbprint should I use?

Thanks in advance for any help.

0 Kudos
13 Replies
Mickeybyte2
Hot Shot
Hot Shot

Hi chrischay

You'll need to put both thumbrints of your connection servers in the field "Connection server URL Thumbprint" on the UAG Horizon settings.

Seperate them by comma.

Regards,

Michiel.

Regards, Michiel.
0 Kudos
chrischay
Contributor
Contributor

Hi Mickeybyte,

I actually did put both thumbprints of my View Connection Serves but the Horizon Destination Server is still showing down (red). I put like sha1=xxxxxxxxxxxxxx,sha1=xxxxxxxxxxxxx.

I know that the load balanced FQDN is working because if I type it on a browser it will just work no problem.

Regards

0 Kudos
Mickeybyte2
Hot Shot
Hot Shot

chrischay

Could you provide a screenshot, cause I don't know what you mean by "the horizon destionation server is still showing down". Where do you see that?

Regards

Regards, Michiel.
0 Kudos
sjesse
Leadership
Leadership

Try the sha256 one, if there isn't, try sha256= but put the sha1 in. The was an issue at one point that I solved by doing that.

0 Kudos
RobOTheGreat
Contributor
Contributor

You might want to review Carl Stalhood blog on UAG setup.  He goes into detail on the UAG configuration.

https://www.carlstalhood.com/vmware-unified-access-gateway/

0 Kudos
chrischay
Contributor
Contributor

Hi Mickebyte,

It is in Unified Access Gateway setting

0 Kudos
chrischay
Contributor
Contributor

Hi Mickeybyte,

attach is the screenshot.

0 Kudos
Mickeybyte2
Hot Shot
Hot Shot

chrischay

What versions of UAG and Horizon are you using?

The connection serves work fine when connecting to via the LoadBalancer?

What loadbalancer are you using?

What happens if you put one of the connection server addresses in the UAG in stead of the LB address?

Regards.

Regards, Michiel.
0 Kudos
chrischay
Contributor
Contributor

Hi Mickeybyte,

UAG v3.10, Horizon 7.12

Yes, the connection servers just works fine when connecting via load balancer.

I am using Palo Alto for load balancing.

Everything works fine If I put one of the connection server addresses in the UAG instead of the LB address.

0 Kudos
Mickeybyte2
Hot Shot
Hot Shot

chrischay

So it must be something with the load balancer then. I don't have any experience with the Palo Alto LB I'm afraid.

Did you try both connection server addresses in the UAG and they both work seperately?

Regards.

Regards, Michiel.
0 Kudos
Mickeybyte2
Hot Shot
Hot Shot

also, check this site: Troubleshooting Unified Access Gateway Deployment

maybe you can find more info in the logs somewhere.

Regards.

Regards, Michiel.
0 Kudos
chrischay
Contributor
Contributor

Hi Mickeybyte,

Both connection servers work separately in UAG.

The load balanced address/FQDN just works fine in a browser. Only in UAG it won't work.

0 Kudos
nburton935
Hot Shot
Hot Shot

If that is the case, is the VIP accessible from the UAG? Run ‘curl -v https://LBvip:443‘ from the UAG.

0 Kudos