UAG connection thumbprint and cert issue

[FatPog]

So I have not touched Horizon in nearly 3 years and have been tasked with upgrading an environment that I have no prior knowledge of. I am running into issues.
It is a very messy setup. There are no load balancers or setup documentation.

The idea is to go from 2111 to 2406.Currently this environment has one UAG and two CS. One CS is for internal purposes (Con1) and the other for external connections (Con2). The UAG has its connection URL pointed to con2.domain.local and its thumbprint points to the SHA1 of a wildcart cert *.company.com

The CS both have the wildcard certificate loaded (vdm). Now somehow connecting is working fine under 2111. Not that I understand it because the wildcard cert has no knowledge of con2.domain.local. Is there some hidden setting somewhere that could translate anything?

I follow the upgrade process. I can upgrade the CS to 2406. Once upgraded I can still connect to the desktops internally via CS (I did notice that it overwritten the branding back to default. Any tips on how to save the custom branding appreciated).

Next I do the UAG. Deploy new one and import settings. Now this did not work and I believe that this is because of SHA1 setting not being supported. I configured it manually with same settings but changed it to SHA256. The certificate was already SHA256.And things don't work via UAG anymore. I believe it should not work because the connection url domain name does not match the wildcard. But I am stumped over how it works with 2111. What am I overlooking?

I have not verified yet but could it be a setting in one of the properties files that got overwritten with the CS upgrade?From memory, I saw an error along the lines of "vmware horizon rejecting request unexpected host header". The Horizon settings in UAG are green but in CS admin portal it says unreachable.I hope this makes sense. 

[Rob Beekmans]

Welcome 😉

The locked.properties will need change, PortalHost entry needs to be added to get rid of that one error.
The cert could be fine, it could support multiple domains, just make sure the right FQDN of the connection server (bgut I guess they never changes) are in there.

[StephenWagner7]

And just adding, I'd recommend configuring the HCS servers as portal host entries, and then use your UAG FQDNs for your balanced host entries.

I'm assuming you have a single FQDN that internally points to the HCS for connections, and externally to the UAG, so I'd recommend having that configured as a balanced host.

@Rob Beekmans, any idea where that KB went that specified the "locked.properties" behavior across versions? I can't seem to find it.

[Sean Massey-1]

I'm pretty sure I saw this question on Reddit this morning. 

The docs for configuring the locked.properties file are here: https://docs.omnissa.com/bundle/Horizon8InstallUpgrade/page/AllowHTMLAccessThroughaGateway.html

[StephenWagner7]

Found it!!! 🙂

Cross-Origin Resource Sharing (CORS) with Horizon 8 and loadbalanced HTML5 access. (85801) (omnissa.com)