VMware Workspace ONE Community

F5 Redirects and setting connection brokers.


I've been fighting with this issue for quite some time trying to get my connection brokers to go through the F5. 

My set-up is fairly simplistic.

2 - F5 load balancers with internal and external VLANs.

4 connector VA's.

- Connector 1 and 2 are load balanced without kerberos and have RSA applied to them for external users)

hznAdminTool addvm --type=CONNECTOR --ip=xxx.xxx.xxx.xxx -useGatewayAsIDP=y --directoryPassword=XXX

- Connector 3 and 4 are load balanced with kerberos using the addvm option with N instead of Y.

   hznAdminTool addvm --type=CONNECTOR --ip=xxx.xxx.xxx.xxx --useGatewayAsIDP=n --directoryPassword=XXX

After creating your VIP inside of the F5 you'll more than likely want to reference that rather than the individual connector2-va / connector3-va (if you're using the defaults to deploy when you setup DNS prior to adding the VMs).  For instance the VIP might be horizon-external.FQDN with an ip of  From there your VIP has the two IP addresses for connector2-va / connector3-va (example /

So you navigate over to your two connectors via https://connector2-va.FQDN:8443/hc/admin and then navigate to -- Advanced -- Windows Auth -- check both (Enable Windows authentication and Enable Redirect).

Once that is done, you'll then click on the Identity Provider tab and change the IdP Hostname to your VIP on the F5 (in this case horizon-external.FQDN). 

If you receive and error then try this.

Login to your connector 3 and 4 via ssh (sshuser is the login -- the password is whatever you set it to be.  Then login as root with the same password).

What we are going to do is replace the cert on the connector with a .PEM file that you create.

You'll need:

  1. your cert for your FQDN (I.E workspace.FQDN).
  2. your signed cert (key file that should begin with ----- BEGIN RSA PRIVATE KEY ------)
  3. your root cert that you're using for your workspace FQDN.

Open notepad on your desktop and paste each cert in the sequence above.  Make sure to not have any extra white space characters.  Once that is done give it a name with a .PEM extension.

From there you can use winscp (or another product to transfer your file to both external connectors 3 and 4).  I'd place the .PEM in the /tmp directory. 


on the connectors you can use vi /tmp/yourfile.pem and paste the certs in the sequence above.

Once that is done it's time to replace the default cert.

as root issue:

/usr/java/jre-vmware/bin/keytool -import -trustcacerts -file /tmp/yourfile.pem -alias youralias -keystore /usr/java/jre-vmware/lib/security/cacerts

the password is: changeit

Once the cert is replaced then issue:

service tcserver-c2 restart.

Now go back to your connector3 and connector4 and try to change your default iDp hostname.  It should let you at this point.


0 Kudos
0 Replies