What the Cert, Unified Access Gateway or UAG

May 07, 2022 by Karl Newick

So this next post will be about using the same certificate we created in “Signing and Horizon Connection Server” and applying it to the UAG’s.

Topology

I have deployed a UAG and when I connect to the management I get the error about the certificate not being trusted. UAG admin page is https://fqdn:9443

Click Continue and login to the UAG and the select Configure Manually
Select TLS Server Certificate Setting
Check the Admin Interface (uag01.demo.org) and Internet Interface (vdi.demo.org)
Select Certificate Type as PFX
Upload PFX and Select hzcs.pfx
Enter the Password assign (from the previous post)

What the Cert, AppVolumes 2.X and 4.X replacement

April 04, 2022 by Karl Newick

This next part assumes that the FQDN for AppVolumes Manager is part of the original CSR request. If you refer back to https://www.vbrit.net/certificates/what-the-cert you can see how I did this in the horizon_csr.cfg, scroll to the right on the subjectAltName line. It would be nice if all the certs used the same format but they don’t but I think I found a way to make this as painless as possible.

Topology

Who doesn’t like pictures, as you can see we are going to protect the AVM VIP and Nodes.

Exporting the certificate

I am going to reuse the certificate that was installed on the Connection Server, Export it and then use OpenSSL to extract the cert and Key into the required format. So, first RDP to the Connection Server. Open mmc then select File then “Add or Remove Snap-ins” and select Certificates.

Select Computer account and select Next, Local Computer and Finish

Open the Personal, Certificates and select the Horizon Certificate. Should have the Friendly name vdm.

Select Export, Next. Select “Yes, export the private key”, Next

Select the following properties and select Next

Select the Password check box and assign a password, Next

Remember this password!

Save the Certificate and name it avm.pfx. Move the cert to the computer that has OpenSSL and using the folder from before. i.e. C:\Certs\AVM

This next part we extract the key from the exported PFX file in RSA format and then convert it to PEM

Open and elevated command prompt and change to the OpenSSL bin folder. Enter the following command

openssl pkcs12 -in C:\certs\avm\avm.pfx -nocerts -out C:\certs\avm\avm.key

Enter the password from the Export and use it again in the PEM pass phrase.

openssl rsa –in C:\certs\avm\avm.key -outform PEM –out C:\certs\avm\avm_pem.key

Now we export from the PFX and convert to the correct format.

pkcs12 –in C:\certs\avm\avm.pfx –clcerts –nokeys –out C:\certs\avm\avm.crt

Enter the password from above.

In the C:\certs\avm folder you should see. We only care about avm.crt and avm_pem.key, copy these to the AppVolumes Manager

Import Certificate

Copy the certificates avm.crt & avm_pem.key to the following location on the AppVolumes Manager(s)

C:\Program Files (x86)\CloudVolumes\Manager\nginx\conf

From the AppVolumes Manager, open an elevated Command prompt and type notepad. This will open Notepad with the correct right to edit the nginx.conf file and save.

Edit the following lines to reflect the new names of the certificates.

It should look like this below, save the file

Now restart the App Volumes Manager Service for the new Certificates to take effect

Once the service has restarted you should see the padlock indicating the session is secure and the Certificate is trusted.

Hope this helps

What the Cert, Signing and Securing Horizon Connection Server

August 07, 2020 by Karl Newick

So who likes certs, what no hands? Well I am not surprised but these are essential to keep us safe. This will be series of posts based on the Horizon 7.X stack. I will plan on taking you through the cert request (CSR) to deployment on the Horizon Connection servers through to UAG and App Volumes etc.

I won’t try and explain how certs work as there are many blogs on this topic, but check this blog if you need a refresher. SSL Certificates Explained

Tools

First lets start with the tools I have been using for a number of years, OpenSSL and Notepad++. Download and install these, then create a folder structure based on this for an example below. In this example mine is C:\Certs but I normally have it on my OneDrive.

Topology

Being a visual person I put together this Visio to help visualize the areas that this certificate is going to protect.

So, first part is the request. A few things to think about, is this for a single device or multiple? Multiple domains etc. To keep it simple enough I will do do a request for the Common Name (vdi.demo.org) and SAN’s for UAG’s, Connection Server’s, AppVolume etc.

Create a file in the CSR folder and call it “horizon_csr.cfg” and paste the following and edit to reflect your naming and save.

[ req ]
default_bits = 2048
default_keyfile = solution_name.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment, nonRepudiation
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:vdi.demo.org, DNS:uag.demo.org, DNS:uag01.demo.org, DNS:uag02.demo.org, DNS:cs01.demo.org, DNS:cs02.demo.org, DNS:avm.demo.org, DNS:avm01.demo.org, DNS:avm02.demo.org, DNS:workspace.demo.org
[ req_distinguished_name ]
countryName = US
stateOrProvinceName = NH
localityName = Salem
0.organizationName = Lab
organizationalUnitName = Eng
commonName = vdi.demo.org

Now open a command prompt and change directory to the OpenSSL\bin folder. The command below creates the CSR and outputs the certs to the CSR folder.

openssl req -new -nodes -out c:\certs\csr\csr.csr -keyout c:\certs\csr\csr-orig.key -config c:\certs\csr\horizon_csr.cfg

Next convert the Key into the RSA format.

openssl rsa -in c:\certs\csr\csr-orig.key -out c:\certs\csr\rsa.key

In the CSR folder you will see horizon_csr.cfg, csr.csr, csr-orig.key and rsa.key

Signing of the Certificate

Now that we have generated the request we need to get it signed by a Certificate Authority(CA). For this example I am going to do the process using a Windows Certificate Server. First lets open the CSR and make sure its got the information we require. Open the csr.csr file with Notepad++ and the content of the file should look like the following. Make sure there is no spaces after the last character and CTRL+A and copy.

***Make sure there is no space after the last character***

Open a browser to https://decoder.link/ and paste the content in. This will show you the information you entered into the horizon_csr.cfg. Again it should look like this.

Notice the SAN’s, if anything is incorrect got back and make the changes and re-key the CSR

Head to the CA server of choice after the CSR has been validated. I am using a Microsoft Certificate Server.

Open a browser and goto http://FQDN/certsrv and login

Select Request a Certificate
- Select Advance certificate request
- Select Submit a certificate request by using a base-64-encoded…….
- In the Windows paste the content of the csr.csr and change the Certificate Template to Web Server and click Submit

Select Base 64 encoded and then select Download certificate chain

Save the certnew.p7b and then open, I see 2 files,

The Certificates I requested
Root CA cert, maybe an Intermediate CA (If you have one)

Next Select the vdi.demo.org cert Right click > All Tasks > Export

Next > Select Base-64 > Next

Save the Certificates to “C:\Certs\CSR\vdi.demo.org.cer”

Select Finish to Complete the Export

Now do the same task and export the CA cert from the certnew.p7b and name it root64.cer

Copy the Exported certs to the following location C:\Certs

Now we need to prep the cert for the Connection Server, we need to Make the private key exportable.

Run the following command to make the Cert in OpenSSL

openssl pkcs12 -export -in C:\Certs\vdi.demo.org.cer -inkey C:\Certs\csr\rsa.key -certfile C:\Certs\root64.cer -passout pass:VMware1! -out C:\Certs\hzcs\hzcs.pfx

Once the Cert is created you will notice the Key in the Certificates icon indicating the key has been marked as exportable.

Import Certificate to the Connection Server

In the MMC window on the Connection Server host, expand the Certificates (Local Computer) node and select the Personal folder.
In the Actions pane, go to More Actions > All Tasks > Import.
In the Certificate Import wizard, click Next and browse to the location where the certificate is stored.
Select the certificate file and click Open.To display your certificate file type, you can select its file format from the File name drop-down menu.
Type the password for the private key that is included in the certificate file. (Set in last command above)
Select Mark this key as exportable and Select Include all extended properties.

Click Next and click Finish.The new certificate appears in the Certificates (Local Computer) > Personal > Certificates folder.
Right-click the self-signed or previous certificate that was issued to the Horizon 7 server host and click Properties
On the General tab, delete the Friendly name text
Right-click the NEW certificate that was imported and select Properties
On the General tab, add vdm to the Friendly name and Click Apply and click OK.

Verify that the new certificate contains a private key.
1. In the Certificates (Local Computer) > Personal > Certificates folder, double-click the new certificate.
2. In the General tab of the Certificate Information dialog box, verify that the following statement appears: You have a private key that corresponds to this certificate.

Restart the VMware Horizon View Connection Server service to take effect

Look for the Padlock to show that the sessions is now trusted and encrypted.

NEXT……UAG’s