VMware Horizon Community
Samsong2016
Contributor
Contributor
‎07-05-2021 09:08 AM

Strange problem when logging on Horizon apps/desktops via UAG address

Hi All,

I think similar question had been posted here earlier but seems there's no clear resolution for that.

Currently I have one UAG and one Horizon connection server (say https://myfqdn)  in place and no load balancer installed.

All connetions between the UAG and the connection server returns green when I checked its status via the UAG admin console.

However

-When I use the UAG.xxxx.local address to access via the web browser, an error “Failed to resolve proxying route for request” comes up after enter my login details and select relevant apps/desktops. From the web browser's address bar it shows “https://myfqdn/r/7B9C13E8-82E9-4C51-846D-5D12D07614EA/certAccept.html?numPages=1

– When I use Horizon Client to connect the same UAG address , an error “SSL connection was shutdown while reading” shown and stop load anything after enter my login details

Are there anything I can troubleshoot further?

Thanks and looking for all expert's reply.

 

0 Kudos
3 Replies
yqowen
VMware Employee
VMware Employee
‎07-05-2021 07:54 PM

Hi Samsong2016,

Would you please check if both UAG and Horizon Connection Server had Blast Secure Gateway enabled and Blast External URL setup?

Based on UAG deploy and config guide: Deployment with Horizon and Horizon Cloud with On-Premises Infrastructure

  • The Blast Secure Gateway and PCoIP Secure Gateway must be enabled when Unified Access Gateway is deployed with Horizon. This ensures that the display protocols can serve as proxies automatically through Unified Access Gateway. The BlastExternalURL and pcoipExternalURL settings specify connection addresses used by the Horizon Clients to route these display protocol connections through the appropriate gateways on Unified Access Gateway. This provides improved security as these gateways ensure that the display protocol traffic is controlled on behalf of an authenticated user. Unauthorized display protocol traffic is disregarded by Unified Access Gateway.
  • Disable the secure gateways (Blast Secure Gateway and PCoIP Secure Gateway) on Horizon Connection Server instances and enable these gateways on the Unified Access Gateway appliances.

Please check your Horizon Connection Server setup.

Regards.

0 Kudos
Samsong2016
Contributor
Contributor
‎07-06-2021 08:09 AM

Hi yqowen

Based on the document and your comments, I'd checked both of my horizon connection servers and UAG and looks they can communicate with each other.

I attached some screenshots of my config for your review. From my Horizon connection server admin console, it found the UAG with ip address shown

UAGShow.JPG

and all gateway settings were disabled via Horizon admin pages.

HZNConnection.JPG

From my UAG , i had enabled all blast/ PCOIP

UAG01.JPG

UAG02.JPG  

and all status were showing greem

Samsong2016_0-1625584057709.png

 

But the problem still happens...even I re-install both connection server and UAG 2 times.

  

0 Kudos
yqowen
VMware Employee
VMware Employee
‎07-07-2021 06:24 AM

It looks like you're using .local host names.

Please avoid using .local host names in UAG per https://docs.vmware.com/en/Unified-Access-Gateway/2103/uag-deploy-config-guide.pdf

 

Multicast DNS and .local hostnames

UAG (Unified Access Gateway) 3.7 and later versions support Multicast DNS in addition to the Unicast DNS. Multi-label names with the domain suffix .local are routed to all local interfaces which are capable of IP multicasting by using the Multicast DNS protocol.

Avoid defining .local in a Unicast DNS server because RFC6762 reserves this domain use for Multicast DNS. For example, if you use a hostname hostname.example.local in a configuration setting such as Proxy Destination URL on the UAG, then the hostname is not resolved with Unicast DNS because .local is reserved for Multicast DNS.

Alternatively, you can use one of the following methods in which the .local domain suffix is not required:

  • Specify an IP address instead of a .local hostname.
  • An additional alternative DNS A record can be added in the DNS server.

In the earlier example of host name, hostname.example.int can be added to the same IP address as hostname.example.local and used in the UAG configuration.

  • A local hosts file entry can be defined.
    In the earlier example, a local     hosts entry can be defined for hostname.example.local.

hosts file entries specify names and IP addresses and can be set by using the UAG Admin UI or through PowerShell .ini file settings.

Spoiler
Important The /etc/hosts file on UAG must not be edited.

On the UAG, local hosts file entries are searched before performing a DNS search. Such a search ensures that if the host name is present on the hosts file, then the .local names can be used and a DNS search is not required at all.