Jesus Lopez-1 Posted 20 hours ago Share Posted 20 hours ago We are trying to launch run a VM for our students but when we select the VM we get a certificate error with blast. I have attached a screenshot. The error is not on the landing page or after you log in but more when you select the VM and it starts to open up. Quote Link to comment Share on other sites More sharing options...
Fabio Storni Posted 20 hours ago Share Posted 20 hours ago Hi This is a tipical warnign when a user tries to access via HTML 5. The certificate you see is the one that is installed directly on the VDI VM when you install the horizon agent. You should replace it with an SSL certificate that can be trusted by clients connecting via HTML. In this links more information: Install an SSL Certificate for VMware Blast on a Windows Machine (omnissa.com) Give Preference to DNS Names When Horizon Connection Server Returns Address Information (vmware.com) Connecting to Omnissa Horizon View desktops with a HTML5 browser session fails with the error: "SSL Session is invalid" (2088354) 1 Quote Link to comment Share on other sites More sharing options...
Jesus Lopez-1 Posted 19 hours ago Author Share Posted 19 hours ago So then give the VDI VM its own certificate and not one that we gave the connection server itself them? Quote Link to comment Share on other sites More sharing options...
Fabio Storni Posted 19 hours ago Share Posted 19 hours ago If you don't use the Connection Servers as HTML Blast Gateway, the SSL certificate is the BLAST certificate installed on the VDI. You can resolve the certificate issue by enabling the HTML BLAST GATEWAY on all connection servers. Connecting to Omnissa Horizon View desktops with a HTML5 browser session fails with the error: "SSL Session is invalid" (2088354) "...... Recommended Approach: We advise using the blast secure gateway for HTML access to the machine rather than individual blast certificates on machines. To configure see Enable the Blast Secure Gateway for HTML Access This option is compatible with UAG, which requires other tunnels to be set on the UAG rather than the broker. Note : This will tunnel only your HTML5 connections into Desktops and utilize the certificate configured with the tunnel URL. This is the least disruptive approach. Please see Network Ports in Omnissa Horizon to review any potential port changes. ....." 1 Quote Link to comment Share on other sites More sharing options...
Jesus Lopez-1 Posted 19 hours ago Author Share Posted 19 hours ago Oh ok that makes sense. So then spin up a UAG and use it and the VM should pick up the Certificate from the UAG. That makes more sense. I was under the impression that the UAG could only be used for external use. Quote Link to comment Share on other sites More sharing options...
Employee Victor León Posted 17 hours ago Employee Share Posted 17 hours ago Hello Jesus, Yes you can either enable 'Blast Secure Gateway for HTML access only' in the CS settings and the CS will act as a hop for the Blast connection, so it will utilize the 'vdm' certificate of the CS for the https connection. Or you can deploy a UAG, it can work for both external and internal users. Similar to the CS, it will show the certificate imported into the UAG. Quote Link to comment Share on other sites More sharing options...
Fabio Storni Posted 16 hours ago Share Posted 16 hours ago Hi, as Victor said, you can use UAG for both internal and external access. You can have multiple UAG groups pointing to the same Connection Servers. Quote Link to comment Share on other sites More sharing options...
Jesus Lopez-1 Posted 13 hours ago Author Share Posted 13 hours ago So I made the changes to the CS and I had to make some changes on the locked file in the connection server also. Now the issue is that the connection server is not really accepting the certificate but when I hit the DNS I get no issues. This would not be a problem except that at times the dns takes me to the VM and others it goes into the connection server to obtain the VM. I am using a wildcard certificate from Digicert since that was the only way to remove the initial certificate error when hitting the landing page to log in. 1 Quote Link to comment Share on other sites More sharing options...
Employee Victor León Posted 12 hours ago Employee Share Posted 12 hours ago Not sure what you did but sounds like a misconfiguration. If you could explain with more details and screenshot perhaps we can guide you. Quote Link to comment Share on other sites More sharing options...
Jesus Lopez-1 Posted 11 hours ago Author Share Posted 11 hours ago Attached are screenshots of the wildcard cert where it shows it picks it up and what is configured on the .locked file along with the cert errors that we are getting. The error is coming from the connection server itself but if we use the dns example vdi.com it logs us in we pick the vm and it works fine no certificate error. At times we go to vdi.com logs us in we select the vm and when it launches we get that certificate error that is attached. Quote Link to comment Share on other sites More sharing options...
GoShen Posted 4 hours ago Share Posted 4 hours ago Someone correct me but I thought in this scenario, the SSL Cert used for the CS has to be imported into the UAG and the thumbprint of the cert set in the UAG? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.