EUCEUC: Horizon Integrations 2020/21 Day 3Horizon Configuration with Workspace ONE Access and the Unified Access Gateway

Horizon Configuration with Workspace ONE Access and the Unified Access Gateway

Introduction

When launching an entitlement using the HTML client with Horizon Blast either through Workspace ONE Access or as a Direct connection with the broker by default one might observe the following:

You might notice that the Browser constantly gets stuck even though our Connection server had trusted CA signed certificates from a public source.

The problem also occurs when using HTML blast via Workspace ONE Access, even though Workspace ONE Access is using CA-signed certificates.

The result is an unsatisfactory User-Experience, a user would have to accept what appears to be an Invalid certificate, leaving them with concerns about the resource they are consuming

In this Chapter we will look at what the default configuration of a session is, exactly what happens and how we can make sure our sessions are secure.

 

Background

In earlier versions of Horizon, if we wanted to solve this problem we had to perform two primary operations.

1st an edit had to made on the Broker to the LDS database using ADSIEDIT. The reason for this is as follows and it entails understanding how the transport works. The 2nd step entailed replacing the Agents self-signed cert with a CA signed cert. In a non-persistant environment the most practical way to do this was to use a wild-card certificate.

This exercise is divided into two parts.

  • Part 1 will cover understanding this issue with the Transport
  • Part 2 we will use the latest approach to configuring Horizon Blast with Workspace ONE Access and you will notice how much better it works.

Part 1. Validating the default configuration on the Blast transport

  1. On the ControlCenter server.
    • Open an incognito Chrome browser session
    • Launch a new session of  your cloud SaaS Workspace ONE Access  
    • Select Next
    • In the Select your domain, ensure euc-livefire.com is the selection.
    • Select Next
    • Enter the user name Your Custom User and the password VMware1!
    • Select Sign in
  2. Select Apps in the title bar
  1. In the Workspace ONE Access Console
    • Select Apps
    • Select and launch, any one of the 4 Horizon based entitlements
  1. In the Password Request window
    • Notice we are prompted for password, we will be addressing this in a later lab
      • Enter VMware1!
    • Select Sign In
      • In the address bar, notice you have an IP address, also you will notice it says the certificate is not Valid.
      • Close your browser session...
  1. So there are two problems here, our Agent is using a self-signed cert, but even if we had a CA signed cert it would not be trusted as by default Horizon prefers to use IP address rather than domain name.
    • In the past this was a two part process, where we had to edit the LDS database using ADSIEDIT (above screenshot of the config) and we would have configure Horizon to Prefer using a FQDN rather than an IP Address. The reason for this was, even if we had a valid certificate it would not be recognized as the address in the certificate would not map to the address in the browser.
    • On the virtual desktop we would replace the self-signed cert with a CA signed Wild CARD cert .
      • And that was a problem as no one liked that, it was not secure, it gave the impression of being secure, but it was an open door waiting to be exploited.
    • Thankfully this issue has been rectified and we will look at Part 2 on how secure our Horizon environment properly when we integrate with Access using the Blast Protocol

Part 2. Securing a Horizon Blast sessions using HTML Access.

What the Product development team have done is give us the ability to Tunnel HTML Blast traffic through the Broker.

  • This has a two advantages. The Broker can use its own CA signed certificate when launching the session with the client and we do not have to configure the Broker to prefer to use DNS as the client is connecting directly with the Broker.
  • Best practice now is to configure the HTML BLAST SECURE GATEWAY on the Broker for internal Horizon Clients. In the past we would not configure Blast to Tunnel through the Horizon Connection Server if we wanted to use the Unified Access Gateway.
  • With this new configuration we are able to use this Connection Server for both Internal and External use.
    • We will now implement this configuration on the Horizon Connection server and then test this configuration out in this Part

 

  1. On your ControlCenter server,
    • Launch a new tab on your  Chrome Browser,
    • Select the VMware Horizon shortcut in the Favourites Bar
      • Login as Administrator
      • For password us VMware1!
    • Select Sign in
  1. In the Horizon Console
    • Expand Settings
    • Select Servers
  1. Under Servers,
    • Select the Connection Servers tab
  1. On the Connection Servers tab,
    • Select the radio button next to HORIZON
    • Select Edit
  1. Notice, at present the configuration under Blast Secure Gateway
    is selected to Do not use Blast Secure Gateway
  1. In the Edit Connect Server Settings window
    • Select the radio button next to Use Blast Secure Gateway for only HTML Access Connections to machine
    • Select OK to close the Edit Connection Server Settings window

Part 3 . Validating our Horizon HTML Blast Configuration

  1. On the ControlCenter server.
    • In necessary,
      • Open up a new incognito Chrome browser session
      • Select your  Custom Workspace ONE Access  url select Next
      • In the Select your domain, ensure euc-livefire.com is the selection.
      • Select Next
      • In the username area enter your Custom Test User and the password VMware1!
      • Select Sign in
  1. In the Workspace ONE Access Console
    • Select All Apps
    • Select and launch, any one of the 4 entitlements,
      • In the following example we will launch Calculator
      • In the Password Request window, enter VMware1!
        • Select Sign In
          • Note! Caching of Passwords is by default disabled by Workspace ONE Access . In the next lab - Horizon TrueSSO we will sort this out
  1. Notice there were no hiccups in the launch of your application in your browser and you have a valid certificate in your Browser
    • You are being tunneled via the broker to your Horizon session
  • Log off and close all windows from this lab.

Conclusion

In this session we have seen how we secure internal HTML Blast traffic

  • If we were external our traffic would tunnel through the Blast Secure Gateway on the UAG. However, when external we would not then tunnel again through the Horizon Connection server. The Unified Access Gateway would come into play. In the next part we will look at how we configure the Unified Access Gateway for secure the HTML Blast Transport for external Access.
  • The User Experience has been vastly improved as now there are no hiccups when using the HTML Client.

Part 4: Securing the HTML Blast Transport using the Unified Access Gateway

  1. On your ControlCenter server,
    • Launch a new tab, in your Chrome Browser
    • In the Address bar, enter UAG-HZN.euc-livefire.com
    • Select VMware Horizon HTML Access
  1. Notice you have a Failed to connect to the Connection Server issue
    • Select OK to close the Error message
    • This is not a UAG issue and nothing is broken. This due to a new secure feature that has been enabled in Horizon 7 called Origin checking which is enabled by default and is a new standard defined in RFC 6454
      • https://docs.vmware.com/en/VMware-Horizon-7/7.1/com.vmware.horizon-view.security.doc/GUID-AA5D0A57-51A7-4FC1-A79B-AFD15A72499A.html
  1. On your ControlCenter server Desktop
    • Open your Browser and
    • Enter the following URL in the address bar. uag-hzn.euc-livefire.com:9443
    • In the username area enter admin (case sensitive ) and in the password section enter VMware1!
    • Select Login
  1. In the Unified Access Gateway Appliance v21.03 window
    • Under Configure Manually click Select
  1. Under General Settings,
    • Move the toggle next to Edge Service Settings from Left to Right
  1. To the right of Horizon Settings, select the gear wheel
  1. In the Horizon Settings, next to
    • Re-write Origin Header, move the toggle from No on the left to Yes on the right.
    • Select Save at the bottom of the window.
    • Logout from the Admin console
  1. On your ControlCenter server,
    • Launch your Chrome Browser
    • Enter UAG-HZN.euc-livefire.com in the Address Bar
    • Select VMware Horizon HTML Access
  1. In the Login window type in the following:
    • Username: Your custom Test User
    • Password: VMware1!
    • Select Login
  1. In the Horizon HTML entitlements, launch any of the 4 entitlements
  1. Notice your entitlement launches without any further prompts
    • Also notice that you had when you did not login via Workspace ONE Access you had a Single SSO experience with Password based Authentication

Conclusion

In Summary we looked at Best practice with the regard to configuring the Blast protocol for using with  HTML Client. It is important to note that Native Client by default offers the same and possibly better user experience and we do not necessarily, see the errors we see with the HTML client. However best practices and configurations we saw in this exercise apply to both the Native and the HTML client

Acknowledgements and References

About the Author: Reinhart Nel

https://www.livefire.solutions/meet-the-team/reinhartnel/

For any questions related to this session, email Reinhart at RACE-Livefire-EUC <[email protected]>

 

0 Comments

Add your comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.