Solved: View 4.5 Security Server Problems Since installing...

s1xth · ‎10-27-2010

I am having some very odd issues with my view connection server running view 4.5 (front and back). I am hoping someone could shed some light on the problem,because I have tried everything I know to get this working correctly.

Prior to installing new a self signed certificate on the external connection server I was running the default VMware certificate. Everything was running fine in this configuration. I installed a new self-signed certificate and now I am having intermittent problems connecting to the server:

1. When connecting from a windows machine I CAN reach the URL/HTTP site to download the View client. Once I launch the View client I recieve the following error: The View Connection Server connection failed. Network Error.

2. I have tried connecting via IP address of the server, made sure external URL is correct (everything worked fine prior to installing the SSL certificate).

3. Completely removed the security server and reinstalled, restarting services etc. Still can't connect on some machines. Connecting from a Wyse enabled iPad always works, never have a problem.

4. If I connect the VPN to the company on the machine that is not working and then launch the View Client and connect everything works as it should. When I disconnect the VPN and try connecting again, I can connect fine! So it takes me to connect the VPN for the connecion to go through....its really odd. I have checked DNS etc and everything is the same as with the default certificate. I made sure the machines that are having problems are trusting the certificate and i also monitored the Cisco ASA firewall logs, I dont see anything different happneing between the periods of it working and not working.

Anyone ever experienced something along these lines or can think of anything I can try?

Thanks!

http://www.virtualizationimpact.com http://www.handsonvirtualization.com Twitter: @jfranconi

mikeyes · ‎11-02-2010

I ran into this same thing. The conflict is between the view client and your new self-signed SSL certificate. Specifically the thing causing the trouble is the version of the wininet.dll file that came with IE8. The wininet.dll file that came with IE8 causes some kind of conflict with the View 4.5 client (when an SSL cert other than the server generated one is used) and will not allow the View 4.5 client software to connect to your security server. I have reported this to VMware (2 weeks ago) so they should be aware of the issue.

If you remove your new SSL certificate and go back to the one created by the View server then everything will work fine again. If you remove IE8 and use an XP machine with either IE6 or IE7 it will also work fine. I tested taking the wininet.dll file from an XP SP3 IE6 machine and restoring that file after installing IE8 and everything seemed to work ok but probably not the best solution.

Bottom line is until VMware fixes the conflict with their View client you can't use any SSL cert (other than the one the server makes itself) if you are going to connect from windows machines running IE8 or newer.

View solution in original post

mittim12 · ‎10-27-2010

Have you generated the support logs on the security server and it's paired connection broker? Might find something in those logs

Sent from my iPhone

s1xth · ‎10-27-2010

Thanks for the response, this is a good idea. I am gathering logs now and I will review them to see if I can see anything causing the problem.

http://www.virtualizationimpact.com http://www.handsonvirtualization.com Twitter: @jfranconi

s1xth · ‎10-27-2010

Still reviewing logs, but so far I found this failure which may or may not be an issue:

Connecting to server (ip address of connection server removed for posting) on topic topic/IceTunnelTopic...

Timeout during connect!

This occurs during the JMSPublish Test.

Edit- Some more reviewing of the VDM-LOG files I found these odd errors:

10:23:24,084 ERROR <Thread-7> Outbound JMS connection failed with: com.swiftmq.jms.ConnectionLostException: End-of-Stream reached

10:24:30,350 WARN <AJP-10> (Request11) AJP connection test failed: com.vmware.vdi.ob.tunnelservice.da: Failed to write data to server: java.net.SocketException: Connection reset by peer: socket write error

10:24:31,803 WARN <AJP-11> (Request12) AJP connection test failed: com.vmware.vdi.ob.tunnelservice.da: Failed to write data to server: java.net.SocketException: Connection reset by peer: socket write error

10:25:18,834 WARN <AJP-12> (Request13) AJP connection test failed: com.vmware.vdi.ob.tunnelservice.da: Failed to write data to server: java.net.SocketException: Connection reset by peer: socket write error

http://www.virtualizationimpact.com http://www.handsonvirtualization.com Twitter: @jfranconi

mittim12 · ‎10-27-2010

Were you able to link these messages to the same time that the connecton issue was having? Is the issue sporadic or does it work for awhile and then die?

If you found this or any other post helpful please consider the use of the Helpful/Correct buttons to award points

Twitter: http://twitter.com/mittim12

s1xth · ‎10-28-2010

Nope....looks like those messages are NULL, and do not occur when I am trying to connect it has to be something else. I ran through the rest of the logs and I can't seem to find anything solid that is pointing at the issue. I think it may be the SSL certificate, I may purchase a certificate and place it on the server and see if that resolves the issue. I haven't been able to find anything else that is causing the connectivity troubles :-/.

Blog: www.virtualizationbuster.com

Twitter: s1xth

http://www.virtualizationimpact.com http://www.handsonvirtualization.com Twitter: @jfranconi

mikeyes · ‎11-02-2010

I ran into this same thing. The conflict is between the view client and your new self-signed SSL certificate. Specifically the thing causing the trouble is the version of the wininet.dll file that came with IE8. The wininet.dll file that came with IE8 causes some kind of conflict with the View 4.5 client (when an SSL cert other than the server generated one is used) and will not allow the View 4.5 client software to connect to your security server. I have reported this to VMware (2 weeks ago) so they should be aware of the issue.

If you remove your new SSL certificate and go back to the one created by the View server then everything will work fine again. If you remove IE8 and use an XP machine with either IE6 or IE7 it will also work fine. I tested taking the wininet.dll file from an XP SP3 IE6 machine and restoring that file after installing IE8 and everything seemed to work ok but probably not the best solution.

Bottom line is until VMware fixes the conflict with their View client you can't use any SSL cert (other than the one the server makes itself) if you are going to connect from windows machines running IE8 or newer.

s1xth · ‎11-02-2010

Mikeyes - Thank you so much for taking the time to post this response! I am so happy to hear I am not the only one with this issue. Everything you state above is exactly what I am experiencing. If I move back to the default certificate everything is fine, if I switch back to my own certificate it doesnt work again. Your above testing is very helpful and very in depth, VMware should thank you for the time you spent on finding this bug, especially since this SHOULD NOT happen. I am going to try what you mention tommorrow on a my workstation to test.

Do you know if this only effects self-signed certificates or does it also effect CA Root certificates also? I haven't tried a CA root yet as I don't want to purchase one yet for this proof of concept environment. This also explains why on my iPad via Wyse app I dont have any issues.

Blog: www.virtualizationbuster.com

Twitter: s1xth

http://www.virtualizationimpact.com http://www.handsonvirtualization.com Twitter: @jfranconi

mittim12 · ‎11-02-2010

I would like to offer my thanks to Mikeyes too for posting this information. That is what makes this forum so great. It is interesting that a self signed certificate would be the cause of all this. My 4.5 security server is using a equifax certificate with no issues at all though it was already present when I performed the upgrade.

If you found this or any other post helpful please consider the use of the Helpful/Correct buttons to award points

Twitter: http://twitter.com/mittim12

mikeyes · ‎11-03-2010

When I ran into my problem I was using an internal private CA to sign my SSL. I do not know if an SSL cert signed by one of the major Trusted Root CA's would cause this trouble or not. mittim12 indicated that his equifax cert was ok. Since the problem is ultimatley with IE8 the Trusted Root CA's that IE implicitly trusts might be ok. I tried adding my local CA as a trusted root authority to see if that would make IE ok and it did not have any effect.

When I opened the case with VMware I asked them to please make a knowledge base article from the incident because I knew others were running into the trouble. The nature of the error code makes it very hard to diagnose.

Glad I could help someone out.

s1xth · ‎01-18-2011

Just checking to see if anyone has heard from VMware on this issue....

Thank you!

http://www.virtualizationimpact.com http://www.handsonvirtualization.com Twitter: @jfranconi

mikeyes · ‎01-18-2011

No word from VMware.

All

View 4.5 Security Server Problems Since installing SSL Certificate