Forum Discussion

veato's avatar
veato
Icon for Nimbostratus rankNimbostratus
Nov 28, 2017

Horizon View "This Page is Not Secure"

I have a connection to my VDI desktops via F5 (build using the iApp) and it essentially works i.e. I can get a virtual desktop although with a slight issue.   To start with I enter the URL e.g. ht...
application delivery
BIG-IP
horizon
iapp
LTM
vdi
vmware
Matt_Mabis's avatar
Matt_Mabis
Icon for Employee rankEmployee
Dec 01, 2017

Hey Veato,

 

Keep in mind a VIP is a VIP you could always create an APM internally and not have it be 2FA enabled, i.e. you create a second iAPP with APM for Internal use. You would just point DNS as the internal APM instead of the External APM.

 

With the Options On Options 2 If it were me i would recommend having at minimum 2 Connection servers per VIP Internal vs External. how you stated it is correct i would do LTM connection Servers with the box checked and the External APM servers with the boxes unchecked. The only downside i need to reiterate is that all blast connections wether it be HTML5 or blast extreme would be tunneled through the connection servers in this choice. This means if you need to power off connection servers or reboot them it has a highly likely hood of disconnecting user sessions that use Blast Extreme or HTML5 Blast. However this does get rid of the certificate issue.

 

I would however recommend instead of using the single iAPP deployment for deploying an internal and external vip i would separate them by using the iAPP twice and creating an LTM app for Internal and an APM app for External (just don't fill in the internal lan vip section on APM iAPP)

 

Just curious are you using Instant Clones or Linked Clones? a long time ago when i was working for VMware PSO i thought about creating a Powershell type script that would do the following

 

1) generate a new blast certificate from an internally trusted CA. 2) modify the registry point instead of showing IP would use DNS when using blast HTML5 protocol 3) swap the thumbprints from the self sign to the newly generated cert 4) restart the blast services to accept the new certificate.

 

I never did follow up on doing this but this would be the approximate way of doing this fix without the tunneling, the thing i would mention was based on the amount of certs created and depending on the type of VDI i would set the expiration of the cert to be a fixed date rather than the long lengthy 1-2 year approach. In this case i would also setup another subordinate CA behind the root to just handle these workloads.

 

This was just another thought of how one could resolve this issue as well, the key of doing this would be creating a script having it in like c:\tools\script.whatever and having it run as a Post Sync Script on the instant/linked clones. Don't know if this approach would really fit your bill but it is something i thought of a long time ago that could resolve this issue, and i i wouldn't recommend the wildcard approach as its too dangerous b/c the key has to be exportable IIR.

 

Does that help?