This chapter has 3 primary objectives

• Securing a Horizon Blast sessions using HTML Access
• Securing the HTML Blast functionality when Origin Blocking refuses connections via the Unified Access Gateway
• Securing Workspace ONE Access and VMware Horizon Sessions with JWT TOKEN

Overview

When launching an entitlement using the HTML client with Horizon Blast either through Workspace ONE Access or as a Direct connection with the broker by default one might observe the following:

You might notice that the Browser constantly gets stuck even though our Connection server had trusted CA signed certificates from a public source.

The problem also occurs wheen using HTML blast via Workspace ONE Access, even though Workspace ONE Access is using CA-signed certificates.

The result is an unsatisfactory User-Experience, a user would have to accept what appears to be an Invalid certificate, leaving them with concerns about the resource they are consuming

In earlier versions of Horizon, if we wanted to solve this problem we had to perform two primary operations.

1st an edit had to made on the Broker to the LDS database using ADSIEDIT. The reason for this is as follows and it entails understanding how the transport works. The 2nd step entailed replacing the Agents self-signed cert with a CA signed cert. In a non-persistant environment the most practical way to do this was to use a wild-card certificate.

This exercise is divided into two parts.

• Part 1 will cover understanding this issue with the Transport
• Part 2 we will use the latest approach to configuring Horizon Blast with Workspace ONE Access and you will notice how much better it works.

1. On the ControlCenter server.
   • Launch an Incognito session on your Chrome browser session
   • In the address bar enter your custom URL for Workspace ONE Access
   • Below Select your domain, ensure euc-livefire.com is the selection.
     • Select Next
   • Under the username area
     • Enter the user name Mark
   • In the  password area
     • Enter VMware1! as the password
   • Select Sign in

2. In the Workspace ONE Access Console
   • Select Apps
   • Under Categories, select Virtual
   • Select and launch, Calculator

3. In the Password Request window
   • In the Password area Enter VMware1! as the password
   • Select Sign In
     • In the address bar, notice you have an IP address, also you will notice it says the certificate is not Valid.

4. So there are two problems here, our Agent is using a self-signed cert, but even if we had a CA signed cert it would not be trusted as by default Horizon prefers to use IP address rather than domain name.
   1. In the past this was a two part process, where we had to edit the LDS database using ADSIEDIT (above screenshot of the config) and we would have configure Horizon to Prefer using a FQDN rather than an IP Address. The reason for this was, even if we had a valid certificate it would not be recognized as the address in the certificate would not map to the address in the browser.
   2. On the virtual desktop we would replace the self-signed cert with a CA signed Wild CARD cert .
      • And that was a problem as no one liked that, it was not secure, it gave the impression of being secure, but it was an open door waiting to be exploited.
   3. Thankfully this issue has been rectified and we will look at Part 2 on how secure our Horizon environment properly when we integrate with Access using the Blast Protocol
   4. Log off from Workspace ONE Access and Close any open Browsers
   5. Reference
      • https://kb.vmware.com/s/article/2088354
      • https://docs.vmware.com/en/VMware-Horizon-7/7.5/horizon-installation/GUID-8E7FBB9D-F2DB-4787-B11B-7506126DEB7F.html
   6. We will also in the next lab teach an implement TRUESSO for a single sign-on experience

What the Product development team have done is give us the ability to Tunnel HTML Blast traffic through the Broker.

• This has a two advantages. The Broker can use its own CA signed certificate when launching the session with the client and we do not have to configure the Broker to prefer to use DNS as the client is connecting directly with the Broker.
• Best practice now is to configure the HTML BLAST SECURE GATEWAY on the Broker for internal Horizon Clients. In the past we would not configure Blast to Tunnel through the Horizon Connection Server if we wanted to use the Unified Access Gateway.
• With this new configuration we are able to use this Connection Server for both Internal and External use.
  • We will now implement this configuration on the Horizon Connection server and then test this configuration out in this Part

1. On your ControlCenter server,
   • Launch the Chrome Browser,
   • Select the VMware Horizon shortcut in the Favourites Bar
   • Login as Administrator
   • For password us VMware1!
   • Select Sign in

2. In the Horizon Console
   • Expand Settings
   • Under Settings select Servers

3. Under Servers,
   • Select the Connection Servers tab

4. On the Connection Servers tab,
   • Select the radio button next to Horizon
   • Select Edit

5. Notice that the existing configuration
   • This issue occurs when the setting   Do not use Blast Secure Gateway is selected
     • This configuration was a default with Horizon 7,
     • In Horizon 8, the default configuration when Horizon is fresh-installed is Use Blast Secure Gateway for all Blast Connections to machine

6. In the Edit Connection Server Settings window
   • Select the radio button next to Use Blast Secure Gateway for only HTML Access Connections to machine
   • Close the Edit Connection Server Settings by selecting OK

1. On the ControlCenter server.
   • From your Chrome browser  Open an Incognito browser se new tab
   • In the address bar enter your custom Workspace ONE Access URL
   • In the Select your domain, ensure euc-livefire.com is the selection. Select Next

• Enter the username Mark and the password VMware1! Select Sign in

2. In the Workspace ONE Access Console
   • Select Apps
   • Under Categories, select Virtual
   • Select and launch, Calculator
   • In the Password Request window, enter VMware1!
   • Select Sign In

3. On your Chrome Browser, a new tab should be launch
   • Close your Incognito Chrome Browser session
   • As mentioned earlier, we will address the single Sign-On issue for password based Authentication

4. On your ControlCenter server
   • Switch to your Chrome browser and select your custom Workspace ONE Access URL session tab
     • If necessary log in again with your custom System Admin credentials
   • In the Workspace ONE Access admin Console
     • Select the Identity & Access Management tab
     • To the right of the Identity & Access Management console,
       • Select Setup
     • Under Setup,
       • Select Preferences

5. In the Preferences area
   • Scroll right down, to the bottom of the Preferences area
   • Next to Password Caching, select the check-box next to Enable
   • Select Save

• The Password Caching check box in Preferences will only provide single sign-on for Password based authentication.
  • The Caching of Password for Horizon is a feature that was disabled In December 2019 and this check box was re-introduced for those customers that wanted to accept the security risks of password based caching.
  • This solution does not work for 3rd-Party auth methods

1. On your ControlCenter Server
   • Open your Remote Desktop folder, launch W10EXT01a.RDP
     • Login as [email protected]
     • With the password VMware1!
   • On the W10Ext01a desktop, open your Chrome browser, in the address bar, type uag-hzn.euc-livefire.com or select the UAG-Client shortcut
   • Select the VMware Horizon HTML Access shortcut

2. Notice you have a Failed to connect to the Connection Server issue
   • Select OK to close the Error message
   • This is not a UAG issue and nothing is broken. This due to a new secure feature that has been enabled in Horizon 7 called Origin checking which is enabled by default and is a new standard defined in RFC 6454
     • https://docs.vmware.com/en/VMware-Horizon-7/7.1/com.vmware.horizon-view.security.doc/GUID-AA5D0A57-51A7-4FC1-A79B-AFD15A72499A.html
     • Close all Windows, minimise your W10Ext01a.RDP session

3. On your ControlCenter server Desktop
   • In the Remote Desktops folder
   • Launch  Horizon.RDP
     • Login as username [email protected]
     • Password is VMware1!

4. On your Horizon Connection server,  go to your logs folder to validate this is the issue.
   • On the Task bar launch File Explorer
   • Go to c\:ProgramData\VMware\VDM\logs
   • Open the most current debug log and
   • Search for a keyword "unexpected origin"

• This validates the issue we are having. To solve this proceed with the following step

5. On your ControlCenter server Desktop
   • Open your Chrome Browser, open a new tab and select the UAG_HZN shortcut
   • In the UAG Admin login, type
     • In the Username area type : admin
     • In the Password area type: VMware1!
     • Select Login

6. On the Unified Access Gateway Appliance  admin console
   • Under Configure Manually
     • Click on, Select

7. On the Unified Access Gateway Appliance v20.12 Admin console
   • Under General Settings
     • Next to Edge Service Settings, move the toggle next to Edge Service Settings from Left to Right

8. To the right of Horizon Settings,
   • Select the gear wheel

9. In the Horizon Settings, next to
   • Re-write Origin Header, move the toggle from No on the left to Yes on the right.
   • Select Save at the bottom of the window.
   • Logout from the UAG Admin console

10. Switch back to your W10Ext01a server,
    • Launch your Chrome Browser
    • Enter UAG-HZN.euc-livefire.com in the Address Bar
    • Select VMware Horizon HTML Access

11. In the Login window type in the following:
    • Username: Mark
    • Password: VMware1!
    • Select Login

12. In the Horizon HTML entitlements,
    • Launch Paint

13. Notice your entitlement launches without any further prompts
    • Select Log out
    • On the Log Out window select OK
    • Close your Browser
    • Minimize your W10Ext01a.RDP Session

1. On the ControlCenter server
   • On your Chrome browser, Open a new Tab, select the UAG-HZN admin shortcut session
   • In the Username area, login as admin
   • In the password area, enter VMware1!,
   • Select Login

2. In the UAG ADMIN Console
   • Under Configure Manually,  select the Blue Select button

3. In the UAG ADMIN Console
   • Under Advanced Settings
     • Select the Gear to the right of JWT Settings

4. In the UAG ADMIN Console
   • In the JWT Settings window, select Add

5. In the JWT Settings window, enter the following, next to
   • Name: Workspace ONE Access
   • Dynamic Public key URL: https://YOUR CUSTOM ACCESS FQDN/SAAS/API/1.0/REST/auth/token?attribute=publicKey&format=pem
   • Public key refresh interval: 86400
   • Select Save
   • Select Close

6. In the UAG Admin Console
   • In the General Settings area
     • Next to Edge Service Settings, select and move the toggle to the right
     • To the right of Horizon Settings, select the GEAR

7. In the Horizon Settings window
   • At the bottom of the page, select More
   • To the right of JWT Settings select the dropdown and select Workspace ONE Access
   • Scroll to the bottom of the window and select Save

INTRODUCTION

All Horizon sessions configured to communicate with Workspace ONE Access have been configured to be secure. We will now test the session

1. On your ControlCenter server
   • On your Chrome Browser in the top right hand corner,
   • Select the 3 DOTS
   • Select New incognito window

2. On your Chrome Browser
   • Enter your custom Workspace ONE Access URL

3. In the Select Your Domain window.
   • Validate that the default domain euc-livefire.com is selected
   • Select Next

4. In the Log in window
   • Under username enter Mark,
   • Under password enter VMware1!,
   • Select Sign in

5. Next to Favorites,
   • Select Apps

6. In the Apps area
   • Select Internet Explorer

7. Notice the Address in the Browser is our Horizon Connection server.
   • In this example, We have launched a Virtual Application from Workspace ONE ACCESS and our secure session is Tunneling through the Unified Access
   • Select Log out
   • On the Log Off window select OK
   • In the top right hand corner, select  your account Icon. In this example its MD, right-click, select  Sign Out
   • Close the browser