Pages

Monday, October 13, 2014

Connecting to a VMware Horizon View desktop with HTML 5 access presents a certificate warning

I recently received a few calls from various clients who have asked me why they are presented a certificate warning when they use the VMware Horizon HTML Access method to connect to their desktop as shown in the following screenshots:

image

image

image

The following screenshot shows a certificate warning to inform the user that there is a certificate mismatch between the URL that the user is navigating to and the name on the certificate:

image

What is happening here is that the View Connection Server settings that the user is connecting to has the following setting set to the name of the server itself (vv02.domain.com):

Blast Secure Gateway
Use Blast Secure Gateway for HTML access to machine
 
Blast External URL

image

Since the certificate  has a common name of desktop.domain.com and it does not have any SAN entries for the connection server’s name, the user is presented with this warning.  One of the ways to fix it is to update the Blast External URL UR to the name of the certificate which is desktop.domain.com.

image

Notice the URL of the browser once connected to the View desktop is desktop.domain.com:8443…:

image

One of the other questions I’ve been asked is whether if it is possible to simply uncheck the Use Blast Secure Gateway for HTML access to machine so that the user can connect directly to the virtual desktop:

image

The answer to that is no because by unchecking the option, the user would get sent directly to the virtual desktop’s IP which would in turn present the same certificate mismatch error but this time for the IP address that the user is being sent to:

 image

2 comments:

Matrix said...

Hi Terence,

I have configured a VMware Access Point 2.7.2 vs an Horizon View 7 (that acts as frontend vs an RDSH farm). The AP responds to external call with a public name that is resolved externally with the AP appliance and internally with the Connection Server.

All works fine.

I have integrated these oobjects in Identity manager 2.7.1. When the user connects internally and clicks on an RDSH app, all is OK. Externally, he receives "failed to connect to the connection server".

Any ideas?

Thank you

Anonymous said...

Hi Terence, in confused about the desktop.domain.com:8443 bit for the blast external URL, so would I put the desktop name , ie. Ws12345.domain.com actually "desktop.domain.com"?