Posted October 23, 2024Oct 23 We are trying to launch run a VM for our students but when we select the VM we get a certificate error with blast. I have attached a screenshot. The error is not on the landing page or after you log in but more when you select the VM and it starts to open up.
October 23, 2024Oct 23 Hi This is a tipical warnign when a user tries to access via HTML 5. The certificate you see is the one that is installed directly on the VDI VM when you install the horizon agent. You should replace it with an SSL certificate that can be trusted by clients connecting via HTML. In this links more information: Install an SSL Certificate for VMware Blast on a Windows Machine (omnissa.com) Give Preference to DNS Names When Horizon Connection Server Returns Address Information (vmware.com) Connecting to Omnissa Horizon View desktops with a HTML5 browser session fails with the error: "SSL Session is invalid" (2088354)
October 23, 2024Oct 23 Author So then give the VDI VM its own certificate and not one that we gave the connection server itself them?
October 23, 2024Oct 23 If you don't use the Connection Servers as HTML Blast Gateway, the SSL certificate is the BLAST certificate installed on the VDI. You can resolve the certificate issue by enabling the HTML BLAST GATEWAY on all connection servers. Connecting to Omnissa Horizon View desktops with a HTML5 browser session fails with the error: "SSL Session is invalid" (2088354) "...... Recommended Approach: We advise using the blast secure gateway for HTML access to the machine rather than individual blast certificates on machines. To configure see Enable the Blast Secure Gateway for HTML Access This option is compatible with UAG, which requires other tunnels to be set on the UAG rather than the broker. Note : This will tunnel only your HTML5 connections into Desktops and utilize the certificate configured with the tunnel URL. This is the least disruptive approach. Please see Network Ports in Omnissa Horizon to review any potential port changes. ....."
October 23, 2024Oct 23 Author Oh ok that makes sense. So then spin up a UAG and use it and the VM should pick up the Certificate from the UAG. That makes more sense. I was under the impression that the UAG could only be used for external use.
October 23, 2024Oct 23 Employee Hello Jesus, Yes you can either enable 'Blast Secure Gateway for HTML access only' in the CS settings and the CS will act as a hop for the Blast connection, so it will utilize the 'vdm' certificate of the CS for the https connection. Or you can deploy a UAG, it can work for both external and internal users. Similar to the CS, it will show the certificate imported into the UAG.
October 23, 2024Oct 23 Hi, as Victor said, you can use UAG for both internal and external access. You can have multiple UAG groups pointing to the same Connection Servers.
October 23, 2024Oct 23 Author So I made the changes to the CS and I had to make some changes on the locked file in the connection server also. Now the issue is that the connection server is not really accepting the certificate but when I hit the DNS I get no issues. This would not be a problem except that at times the dns takes me to the VM and others it goes into the connection server to obtain the VM. I am using a wildcard certificate from Digicert since that was the only way to remove the initial certificate error when hitting the landing page to log in.
October 23, 2024Oct 23 Employee Not sure what you did but sounds like a misconfiguration. If you could explain with more details and screenshot perhaps we can guide you.
October 23, 2024Oct 23 Author Attached are screenshots of the wildcard cert where it shows it picks it up and what is configured on the .locked file along with the cert errors that we are getting. The error is coming from the connection server itself but if we use the dns example vdi.com it logs us in we pick the vm and it works fine no certificate error. At times we go to vdi.com logs us in we select the vm and when it launches we get that certificate error that is attached.
October 24, 2024Oct 24 Someone correct me but I thought in this scenario, the SSL Cert used for the CS has to be imported into the UAG and the thumbprint of the cert set in the UAG?
October 24, 2024Oct 24 Employee Hello Jesus, the certificate can show as 'Not secured' if the domain dont match to the URL that is presented int the browser. If that is the case you need to address the issue modifying the URLs in your CS to match the certificate details. Or get a new certificate that includes that DNS name in the Subject Alternative Name. Hey GoShen, It is supported to use the same certificate for both UAG and CS. However it is not a requirement as they can use different certificates. In the UAG settings, you need to add the thumbprint of the certificate that is installed in the CS. Edited October 24, 2024Oct 24 by Victor León
October 24, 2024Oct 24 Author I think I was able to get it working. I am going to monitor and make sure the error does not come back. If so Ill post what I did for it to work in case anyone else has the same issue.
October 25, 2024Oct 25 Author Good Morning I was able to get it to work. Thank you all for the help it was combination of everyone response that did it for us. We did not have to use a UAG, the certificate we gave the Connection server had to be from CA and we used a wildcard cert, changes were done to the locked file and on the connection server we had to enable "Blast Secure Gateway for only HTML Access" along with change the url to the dns entry that we created to use so that the server itself would not randomly appear with the certificate error when selecting the VM which was what Victor mentioned on modifying the URLs on the server to math the certificate details since the certificate is a wildcard cert. Below are the changes to the locked file. enableCORS=false checkOrigin=false portalHost.1= url given to access bm portalHost.2= server FQDN allowUnexpectedHost=true
_community.png.fc103fd33135c37173c833e0668f98ef_8b6b64.png)
_community.png.fc103fd33135c37173c833e0668f98ef_852a12.png)
Create an account or sign in to comment