View Security Servers Behind an SSL Terminating F5 Load Balancer


We’re working on remote access for a View solution at one of my customers right now.  We’ve got a pair of external user Connection Brokers, each partnered with a Security Server.  We’ve also got an F5 Big-IP load balancer sitting in front of the Security Servers, giving them some protection from the big bad ‘net and, more importantly, providing load balancing services.  We found that the process was a bit more circumspect than I had expected, involving instructions from several documents, so I’m consolidating our process here.  

At first, we followed the instructions from the F5 View Deployment Guide, which got us really close to what we needed.  It’s worth noting that the “External URL” and “PCoIP External URL” fields should be the public address of the F5, even though the document uses an internal address in its examples.

We were able to connect to the system by our public name and it presented the list of desktops to our test account.  However, when we tried to connect to a desktop, we were given a certificate error that mentioned that the certificate thumbprint returned was different from the expected thumbprint.  This caused our connection to fail before ever establishing the PCoIP Connection.

Fortunately, there’s a VMware KB Article that discusses this issue.  The instructions aren’t quite perfect though, so I’ll elaborate on them here.

1) Locate the SHA1 thumbprint for the SSL certificate.
If you look at the error message in your client logs (C:\Users\UserName\AppData\Local\VMware\VDM\logs\log-date.txt), you’ll find a line like “ERROR (0900-1AE0) <TunnelRead> [wsc_tunnel] Tunnel::start: Tunnel server thumbprint doesn’t match the expected one.  Expected thumbprint is…” and then a long hex string, followed by a record of the Actual Thumbprint and the certificate information.  This is counterintuitive, but the SHA1 thumbprint that you want to record here is the “actual” thumbprint, not the “expected” one.
2) Open the ADAM ADSI Editor
On one of the Connection Brokers, either follow the instructions in the guide or just type “ADSI Edit” in the 2008 magic bar.
3) Right click on the root object (ADSI Edit) and select Connect to…
4) Under the “Connection Point” section, enable the “Select or type a Distinguished Name…” radio button and type “dc=vdi,dc=vmware,dc=int” in the text box.  Below that, in the “Computer” section, enable the “Select or type a domain or server…” radio button and type “localhost” in the text box.  Press “OK” to connect.
5) Expand OU=Properties and select OU=Server
6) Right click on the Security Server and select Properties
7) Scroll down to find the pae-SslCertThumbprint attribute, doubleclick it and enter the SHA1 thumbprint discovered in step 1 and press OK.  Then find the pae-SslCertThumbprintAlgorithm attribute, double click on it and enter “SHA1”, then press OK.
8) Repeat steps 6 and 7 for each Security Server.
9) On the Connection Server, restart the VMware Security Gateway Component service.

We are terminating the SSL session on the F5 load balancer in this environment, as it is specialized hardware that is designed to do just that (so why load that onto the Security Servers?).  Of course, the Security Servers are designed to only accept SSL connections, which we had to change.  VMware has documented the process of Allowing HTTP Connections to Intermediate Servers.  It’s worth reiterating that (for this configuration) the locked.properties file will be on each Security Server, but other than that the procedure that they outline is very well explained.

With those steps completed (and the firewalls opened up and the F5 correctly configured), our external users are able to connect to their VDI Desktops through the load balancer.

Edit: Over at MyVirtualCloud.net, they've put together an excellent post about what health monitors a load balancer should be checking on the View servers.  Definitely check it out!


Comments

  1. Thanks jason for all this great info. I am little confuse about SHA1 thumbprint and SHA1.
    Okay we got SHA1 thumbprint in Step 1 from log which we can enter in pae-sslCertthumprint attribute but for the pae-SslCertThumbprintAlgorithm attribute, where do i find SHA1 ? i am sure this is not the SHA1 thumbprint.. please help.

    ReplyDelete
    Replies
    1. This was from several years ago, but I believe that you just type it in.

      Delete
    2. i found your post while searching a solution for this problem. I saw you posted it several years ago. i am new to Certificates and VMware world. still trying to understand what is SHA1 as i was able to locate SHA1 thumbprint.

      Delete

Post a Comment

Sorry guys, I've been getting a lot of spam recently, so I've had to turn on comment moderation. I'll do my best to moderate them swiftly after they're submitted,

Popular posts from this blog

Orphaned VMDK Files

Deleting Orphaned (AKA Zombie) VMDK Files

Clone a Standard vSwitch from one ESXi Host to Another