Last night I updated my VMware VDI envionrment to VMware Horizon 7.4.0. For the most part the upgrade went smooth, however I discovered an issue (probably unrelated to the upgrade itself, and more so just previously overlooked). When connecting with Google Chrome to VMware Horizon HTML Access via the UAG (Unified Access Gateway), an error pops up after pressing the button saying “Failed to connected to the connection server”.
The Problem:
This error pops up ONLY when using Chrome, and ONLY when connecting through the UAG. If you use a different browser (Firefox, IE), this issue will not occur. If you connect using Chrome to the connection server itself, this issue will not occur. It took me hours to find out what was causing this as virtually nothing popped up when searching for a solution.
Finally I stumbled across a VMware document that mentions on View Connection Server instances and security servers that reside behind a gateway (such as a UAG, or Access Point), the instance must be aware of the address in which browsers will connect to the gateway for HTML access.
The VMware document is here: https://docs.vmware.com/en/VMware-Horizon-7/7.0/com.vmware.horizon-view.installation.doc/GUID-FE26A9DE-E344-42EC-A1EE-E1389299B793.html
To resolve this:
On the view connection server, create a file called “locked.properties” in “install_directory\VMware\VMware View\Server\sslgateway\conf\”.
If you have a single UAG/Access Point, populate this file with:
portalHost=view-gateway.example.com
If you have multiple UAG/Access Points, populate the file with:
portalHost.1=view-gateway-1.example.com
portalHost.2=view-gateway-2.example.com
Restart the server
The issue should now be resolved!
On a side note, I also deleted my VMware Unified Access Gateways VMs and deployed the updated version that ship with Horizon 7.4.0. This means I deployed VMware Unified Access Gateway 3.2.0. There was an issue importing the configuration from the export backup I took from the previous version, so I had to configure from scratch (installing certificates, configuring URLs, etc…), be aware of this issue importing configuration.
Saved me a lot of searching. Worked perfectly. Thanks
Hi,
Thanks for your blog its really helpful. I came across another issue I am not using UAG but security servers. I was getting Failed to communicate with connection server when I was trying to connect using html client. After adding my external url to locked.properties file on security server resolved the issue. I hope this will help if some one else is having similar issue.
Stephen quick question about UAG. I am bit confused about setting up three nic. not sure how to setup network profiles for three nics. please can you confirm what network IP do I need to define when using three nic scenario. one NIC I am assuming will be for DMZ subnet. 2nd NIC for internal network connection servers using. for internet do I need to define whole subnet when creating network profile? I am not able to find any documentation link which clearly defines this scenario all exaples are using one nic setup.
thanks,
Hi Nadeem,
First, thank you very much for posting your findings on the security server, that information will for sure help others! 🙂
As for UAG deployment, in my test environments I’ve only used a one NIC deployment (one subnet). I’m not saying it’s best practice, but from what I’ve read lots of other people are doing this as well.
For a 2 NIC (two network interface) deployment, 1 is for external WAN, and 1 is for internal LAN.
For a 3 NIC (three network interface) deployment which is the most secure, 1 is for external WAN, 1 is for internal LAN, and 1 is for management.
As for profiles, I’m not sure what you mean. Are you referring to the IP addressing, or something more specific?
Cheers,
Stephen
Hi Stephen,
much appreciated for quick reply.
I was referring to Network Protocol Profiles where you need to define IP address / IP Pools. for WAN nic do I need to define my external address subnet / IP address or I can simply define my DMZ IP address?
Thanks,
I believe you’ll configure the actual IP address that your UAG will have on the network it’s connected to.
So for the interface in your DMZ, you’ll specify the IP and subnet for that specific network.
thanks Stephen,
much appreciated your help 🙂
Regards,
Hello Stephan,
Concerning the locked.properties information you found in a 7.0 version of the documentation. Here are the links to the 7.4 version:
Allow HTML Access Through a Load Balancer:
https://docs.vmware.com/en/VMware-Horizon-7/7.4/horizon-installation/GUID-BFF2E726-A5EB-4105-A0EA-F3D718C5880E.html#GUID-BFF2E726-A5EB-4105-A0EA-F3D718C5880E
Allow HTML Access Through a Gateway:
https://docs.vmware.com/en/VMware-Horizon-7/7.4/horizon-installation/GUID-FE26A9DE-E344-42EC-A1EE-E1389299B793.html
This error also appears with Microsoft’s Edge browser, but has the same solution.
Hello,
Very nice tips. Thank you for sharing.
For me didn’t work… We have 1 Internal VIP for our 2 Connection Server then we have 1 External VIP for our 2 UAG servers.
When we used the Horizon Client the connection work with the External VIP but not with HTML access same error that in Internal network. But when we are in internal network we stuck with the Internal VIP with HTML access and Horizon client. only success with direct ip of 1 of Connection Server. So with HTML access, We arrive on the login page, then login successfully, click on Desktop pool then the page reloaded in loop… we can see during the loop that he tried to load the following URL : https://ip-internal-vip/portal/webclient/index.html#/blastdesktop but only for 2 seconds then he back to the launchitems menu : https://ip-internal-vip/portal/webclient/index.html#/launchitems
It is horrible… Someone have a idea ?
From Firewall and F5 configurations we are on “any permissions” to avoid the bad configurations from network devices…
Thank you very much.
Hey admpro,
There could be a few things causing your issue. Check in to the following:
1) There’s an issue where when accessing internally or via a VPN, connection servers with an FQDN that doesn’t match the case of the computer name and/or SSL certificate, can cause issues. VMWare KB 2106968 at: https://kb.vmware.com/s/article/2106968
2) On your internal connection servers, have you disabled the proper internal secure gateways? According to best practice, when provisioning UAGs, you must disable the secure gateways on the connection server. VMware Document at https://docs.vmware.com/en/Unified-Access-Gateway/3.1/uag-31-deploy-config-guide.pdf
On Page 31, quoted: “Disable the secure gateways (Blast Secure Gateway and PCoIP Secure Gateway) on Horizon
Connection Server instances and enable these gateways on the Unified Access Gateway appliances.”
Let me know if these help.
Cheers,
Stephen
Hey Stephen
thank you very much for your very quickly answer !!!
Yes, i have make the correction. I have created a DNS with the VIP internal. Now the connection work with Horizon Client.
So i’m ok with horizon client with Internal VIP and External VIP.
Now the last problem is the HTML access with Int and Ext VIPs.
About your second point. Yes all the boxes from view connection servers has been unchecked.
I see on the web that maybe he can from the “route” what do you think about this ? Adding route between UAG to CS or VDI ?
Thanks again.
THANKS! Saved my butt. No chrome access!!!???
Thanks for the Article.
Horizon View 7.9 still have the Chrome issue. FF is fine.
Thanks a lot. We were having this issue on windows 2016 connection servers, not on Windows 2012 connection servers. The locked.properties file was not present on W2k16 CS and have the following value in W2k12 CS checkOrigin=false
OMG! THANK YOUUU MANNNNN !!! I wasn’t able to setup a working “free” load balance solution for my old security servers so i went the UAG way (latest version 3.9, built-in in HA). I was going nutz for days.
It’s late 21 and the Problem is still there! Got the Problem with HTML Access and Microsoft MFA, after adding the portalhost it works like a charm. Thank You!
We just enabled Azure MFA on our UAG for connecting to Horizon externally using RADIUS with Azure MFA Extension for NPS. While this works for connecting via the Horizon Client it doesn’t work via HTML Access and also gives the same error. We have portalHost and balancedHost defined in the locked.properties file.
Should the portalHost address be the FQDN of the UAG or the external URL that users connect to Horizon with? We have tried both and haven’t had any luck.
Hi Greig,
The addresses in that list should be the FQDN connection points used both internally and externally for UAG access.
Cheers,
Stephen
Hi Stephen,
Many thanks for the quick response.
I had a quick check and it looks like we have the correct FQDN configured. Oddly, if we turn off RADIUS authentication within the Horizon settings on the UAG to effectively disable MFA then HTML Access works so it looks like it the issue lies with RADIUS somewhere when using this option.
The UAG appliance throws an exception within the authbroker logs when RADIUS is used against HTML Access logons.
I have logged a support request with VMware on this.
Greig,
I’m having the same issue that you are with UAG and Azure MFA. I swore this worked a month ago, not sure if something changed in our environment or what. Let me know if you figure this out and I’ll do the same.
Thanks.
Greig, we fixed the issue with Azure MFA and UAG and the “Failed to connect to connection server.” We resolved the issue by removing the “Display a Pre-Login Message” from our connection servers and only have it enabled the UAG servers. This setting can be found under “Global Settings” from the Horizon Connection server.
Turns out the issue had nothing to do with Azure MFA, at least for us.
VMware support suggested this and it worked.
Hope this helps your or others.
Kip says:
10/14/2021 at 2:03 PM
!!! I’m so grateful to YOU!!!!!!!!!!!!!!!!!!!!!!!!!
it realy work for me too. (Unified Access Gateway Appliance v21.06.2, connection server 8.3.0-18294467)
Hi Kip,
Many thanks for that.
We had the Pre-Login Message set on our Connection Servers, once switching this to the UAG instead as you mentioned HTML Access worked with Azure MFA.
Hello Stephen!
We have a deplyment only with a VCS and UAG. I can access to https://ip_uag:9443/admin to administrate the UAG, pero I can not access to https://ip_uag to view the VCS login portal. Also, when I register the gateway in VCS (configuration -> servers -> gateways) the system doesn’t recognize the version and ip address.
Is possible that I are missing some configuration or something like that?
Thanks in advance!!!
Hi Fla,
It sounds like your UAG is having issues access your Horizon Connection Server. I’d recommend checking the document to review the ports required between the UAG and connection server.
Once that’s corrected, and once you establish a connection through he UAG, the UAG should populate information on the gateways tab properly.
Also note, you need to configure your “locked.properties” file for your portalHost and balancedHost entries.
Cheers,
Stephen
Hi Stephen,
Many thanks for that.