When launching an entitlement using the HTML client with Horizon Blast either through Workspace ONE Access or as a Direct connection with the broker by default one might observe the following:

You might notice that the Browser constantly gets stuck even though our Connection server had trusted CA signed certificates from a public source.

The problem also occurs when using HTML blast via Workspace ONE Access, even though Workspace ONE Access is using CA-signed certificates.

The result is an unsatisfactory User-Experience, a user would have to accept what appears to be an Invalid certificate, leaving them with concerns about the resource they are consuming

In this Chapter we will look at what the default configuration of a session is, exactly what happens and how we can make sure our sessions are secure.

1. On the ControlCenter server.
   • Open an incognito Chrome browser session
   • Launch a new session of  your cloud SaaS Workspace ONE Access  
   • Select Next
   • In the Select your domain, ensure euc-livefire.com is the selection.
   • Select Next
   • Enter the user name Your Custom User and the password VMware1!
   • Select Sign in
2. Select Apps in the title bar

2. In the Workspace ONE Access Console
   • Select Apps
   • Select and launch, any one of the 4 Horizon based entitlements

3. In the Password Request window
   • Notice we are prompted for password, we will be addressing this in a later lab
     • Enter VMware1!
   • Select Sign In
     • In the address bar, notice you have an IP address, also you will notice it says the certificate is not Valid.
     • Close your browser session...

4. So there are two problems here, our Agent is using a self-signed cert, but even if we had a CA signed cert it would not be trusted as by default Horizon prefers to use IP address rather than domain name.
   • In the past this was a two part process, where we had to edit the LDS database using ADSIEDIT (above screenshot of the config) and we would have configure Horizon to Prefer using a FQDN rather than an IP Address. The reason for this was, even if we had a valid certificate it would not be recognized as the address in the certificate would not map to the address in the browser.
   • On the virtual desktop we would replace the self-signed cert with a CA signed Wild CARD cert .
     • And that was a problem as no one liked that, it was not secure, it gave the impression of being secure, but it was an open door waiting to be exploited.
   • Thankfully this issue has been rectified and we will look at Part 2 on how secure our Horizon environment properly when we integrate with Access using the Blast Protocol

What the Product development team have done is give us the ability to Tunnel HTML Blast traffic through the Broker.

• This has a two advantages. The Broker can use its own CA signed certificate when launching the session with the client and we do not have to configure the Broker to prefer to use DNS as the client is connecting directly with the Broker.
• Best practice now is to configure the HTML BLAST SECURE GATEWAY on the Broker for internal Horizon Clients. In the past we would not configure Blast to Tunnel through the Horizon Connection Server if we wanted to use the Unified Access Gateway.
• With this new configuration we are able to use this Connection Server for both Internal and External use.
  • We will now implement this configuration on the Horizon Connection server and then test this configuration out in this Part

1. On your ControlCenter server,
   • Launch a new tab on your  Chrome Browser,
   • Select the VMware Horizon shortcut in the Favourites Bar
     • Login as Administrator
     • For password us VMware1!
   • Select Sign in

2. In the Horizon Console
   • Expand Settings
   • Select Servers

3. Under Servers,
   • Select the Connection Servers tab

4. On the Connection Servers tab,
   • Select the radio button next to HORIZON
   • Select Edit

5. Notice, at present the configuration under Blast Secure Gateway
   is selected to Do not use Blast Secure Gateway

6. In the Edit Connect Server Settings window
   • Select the radio button next to Use Blast Secure Gateway for only HTML Access Connections to machine
   • Select OK to close the Edit Connection Server Settings window

1. On the ControlCenter server.
   • In necessary,
     • Open up a new incognito Chrome browser session
     • Select your  Custom Workspace ONE Access  url select Next
     • In the Select your domain, ensure euc-livefire.com is the selection.
     • Select Next
     • In the username area enter your Custom Test User and the password VMware1!
     • Select Sign in

2. In the Workspace ONE Access Console
   • Select All Apps
   • Select and launch, any one of the 4 entitlements,
     • In the following example we will launch Calculator
     • In the Password Request window, enter VMware1!
       • Select Sign In
         • Note! Caching of Passwords is by default disabled by Workspace ONE Access . In the next lab - Horizon TrueSSO we will sort this out

3. Notice there were no hiccups in the launch of your application in your browser and you have a valid certificate in your Browser
   • You are being tunneled via the broker to your Horizon session

• Log off and close all windows from this lab.

1. On your ControlCenter server,
   • Launch a new tab, in your Chrome Browser
   • In the Address bar, enter UAG-HZN.euc-livefire.com
   • Select VMware Horizon HTML Access

2. Notice you have a Failed to connect to the Connection Server issue
   • Select OK to close the Error message
   • This is not a UAG issue and nothing is broken. This due to a new secure feature that has been enabled in Horizon 7 called Origin checking which is enabled by default and is a new standard defined in RFC 6454
     • https://docs.vmware.com/en/VMware-Horizon-7/7.1/com.vmware.horizon-view.security.doc/GUID-AA5D0A57-51A7-4FC1-A79B-AFD15A72499A.html

3. On your ControlCenter server Desktop
   • Open your Browser and
   • Enter the following URL in the address bar. uag-hzn.euc-livefire.com:9443
   • In the username area enter admin (case sensitive ) and in the password section enter VMware1!
   • Select Login

4. In the Unified Access Gateway Appliance v21.03 window
   • Under Configure Manually click Select

5. Under General Settings,
   • Move the toggle next to Edge Service Settings from Left to Right

6. To the right of Horizon Settings, select the gear wheel

7. In the Horizon Settings, next to
   • Re-write Origin Header, move the toggle from No on the left to Yes on the right.
   • Select Save at the bottom of the window.
   • Logout from the Admin console

8. On your ControlCenter server,
   • Launch your Chrome Browser
   • Enter UAG-HZN.euc-livefire.com in the Address Bar
   • Select VMware Horizon HTML Access

9. In the Login window type in the following:
   • Username: Your custom Test User
   • Password: VMware1!
   • Select Login

10. In the Horizon HTML entitlements, launch any of the 4 entitlements

11. Notice your entitlement launches without any further prompts
    • Also notice that you had when you did not login via Workspace ONE Access you had a Single SSO experience with Password based Authentication

In Summary we looked at Best practice with the regard to configuring the Blast protocol for using with  HTML Client. It is important to note that Native Client by default offers the same and possibly better user experience and we do not necessarily, see the errors we see with the HTML client. However best practices and configurations we saw in this exercise apply to both the Native and the HTML client