VMware Horizon View 7 added a new security feature that is enabled by default for RFC 6454 Origin Checking. This Security feature protects against cross-site request forging. What this feature does is when you go to the View Administrator page it will check the origin URL for the web request. When it does the check it will reject the request if the URL is not https://localhost/admin or https://URL_used_in_Secure_Tunnel_URL_Field/admin.
Do keep in mind this feature was around in earlier versions but was disabled by default.
The big impact I have seen from this is if you try go to Horizon view administrator web page in Google Chrome or Safari. When you use one of those browsers you will see a blank or incomplete site with text missing from buttons. Below is a example of what you will see.
If you want the simple way out you can disable the feature by modifying the locked.properties file on each of your connection and security servers. If you do not want to take the simple way out take a look at the rest of this post.
File Location: Install_directory\VMware\VMware View\Server\sslgateway\conf
The next two items will allow you to not only use https://localhost/admin or https://URL_used_in_Secure_Tunnel_URL_Field/admin for Horizon View Administration page. It will also allow you to use any addresses you put in for your Load balancer or portal hosts.
One thing you will want to do is if you have multiple connection servers or security servers that are load balanced you have to specify the load balancer address by adding a option into your locked.properties file. (Note: port 443 is assumed for this address)
File Location: Install_directory\VMware\VMware View\Server\sslgateway\conf
If you will be using Access Point appliances you must specify the Access Point addresses in the loacked.properties file. (Note: port 443 is assumed for this address) You will also want to do this for connection server or security server if you want to provide access by name that is different from the one that is specified in the External URL field.
File Location: Install_directory\VMware\VMware View\Server\sslgateway\conf
Do keep in mind this feature was around in earlier versions but was disabled by default.
The big impact I have seen from this is if you try go to Horizon view administrator web page in Google Chrome or Safari. When you use one of those browsers you will see a blank or incomplete site with text missing from buttons. Below is a example of what you will see.
If you want the simple way out you can disable the feature by modifying the locked.properties file on each of your connection and security servers. If you do not want to take the simple way out take a look at the rest of this post.
File Location: Install_directory\VMware\VMware View\Server\sslgateway\conf
- If you do not have a locked.properties file create it in the folder location listed above.
- Add checkOrigin=false to this file.
The next two items will allow you to not only use https://localhost/admin or https://URL_used_in_Secure_Tunnel_URL_Field/admin for Horizon View Administration page. It will also allow you to use any addresses you put in for your Load balancer or portal hosts.
Load Balancer
One thing you will want to do is if you have multiple connection servers or security servers that are load balanced you have to specify the load balancer address by adding a option into your locked.properties file. (Note: port 443 is assumed for this address)
File Location: Install_directory\VMware\VMware View\Server\sslgateway\conf
- If you do not have a locked.properties file create it in the folder location listed above.
- Add balancedHost=load-balancer-name to this file.
Portal Host
If you will be using Access Point appliances you must specify the Access Point addresses in the loacked.properties file. (Note: port 443 is assumed for this address) You will also want to do this for connection server or security server if you want to provide access by name that is different from the one that is specified in the External URL field.
File Location: Install_directory\VMware\VMware View\Server\sslgateway\conf
- If you do not have a locked.properties file create it in the folder location listed above.
- Add portalHost.1=access-point-name-1 and keep adding portalHosts.x till you have all your servers listed.
Comments
Post a Comment