Jan 062018
 

Last night I updated my VMware VDI envionrment to VMware Horizon 7.4.0. For the most part the upgrade went smooth, however I discovered an issue (probably unrelated to the upgrade itself, and more so just previously overlooked). When connecting with Google Chrome to  VMware Horizon HTML Access via the UAG (Unified Access Gateway), an error pops up after pressing the button saying “Failed to connected to the connection server”.

The Problem:

This error pops up ONLY when using Chrome, and ONLY when connecting through the UAG. If you use a different browser (Firefox, IE), this issue will not occur. If you connect using Chrome to the connection server itself, this issue will not occur. It took me hours to find out what was causing this as virtually nothing popped up when searching for a solution.

Finally I stumbled across a VMware document that mentions on View Connection Server instances and security servers that reside behind a gateway (such as a UAG, or Access Point), the instance must be aware of the address in which browsers will connect to the gateway for HTML access.

The VMware document is here: https://docs.vmware.com/en/VMware-Horizon-7/7.0/com.vmware.horizon-view.installation.doc/GUID-FE26A9DE-E344-42EC-A1EE-E1389299B793.html

To resolve this:

On the view connection server, create a file called “locked.properties” in “install_directory\VMware\VMware View\Server\sslgateway\conf\”.

If you have a single UAG/Access Point, populate this file with:

portalHost=view-gateway.example.com

If you have multiple UAG/Access Points, populate the file with:

portalHost.1=view-gateway-1.example.com
portalHost.2=view-gateway-2.example.com

Restart the server

The issue should now be resolved!

On a side note, I also deleted my VMware Unified Access Gateways VMs and deployed the updated version that ship with Horizon 7.4.0. This means I deployed VMware Unified Access Gateway 3.2.0. There was an issue importing the configuration from the export backup I took from the previous version, so I had to configure from scratch (installing certificates, configuring URLs, etc…), be aware of this issue importing configuration.

 

  11 Responses to “Failed to connect to the connection server – Using Chrome on VMware Horizon 7.4 via HTML client”

  1. Saved me a lot of searching. Worked perfectly. Thanks

  2. Hi,
    Thanks for your blog its really helpful. I came across another issue I am not using UAG but security servers. I was getting Failed to communicate with connection server when I was trying to connect using html client. After adding my external url to locked.properties file on security server resolved the issue. I hope this will help if some one else is having similar issue.

    Stephen quick question about UAG. I am bit confused about setting up three nic. not sure how to setup network profiles for three nics. please can you confirm what network IP do I need to define when using three nic scenario. one NIC I am assuming will be for DMZ subnet. 2nd NIC for internal network connection servers using. for internet do I need to define whole subnet when creating network profile? I am not able to find any documentation link which clearly defines this scenario all exaples are using one nic setup.

    thanks,

  3. Hi Nadeem,

    First, thank you very much for posting your findings on the security server, that information will for sure help others! 🙂

    As for UAG deployment, in my test environments I’ve only used a one NIC deployment (one subnet). I’m not saying it’s best practice, but from what I’ve read lots of other people are doing this as well.

    For a 2 NIC (two network interface) deployment, 1 is for external WAN, and 1 is for internal LAN.

    For a 3 NIC (three network interface) deployment which is the most secure, 1 is for external WAN, 1 is for internal LAN, and 1 is for management.

    As for profiles, I’m not sure what you mean. Are you referring to the IP addressing, or something more specific?

    Cheers,
    Stephen

  4. Hi Stephen,

    much appreciated for quick reply.

    I was referring to Network Protocol Profiles where you need to define IP address / IP Pools. for WAN nic do I need to define my external address subnet / IP address or I can simply define my DMZ IP address?

    Thanks,

  5. I believe you’ll configure the actual IP address that your UAG will have on the network it’s connected to.

    So for the interface in your DMZ, you’ll specify the IP and subnet for that specific network.

  6. thanks Stephen,

    much appreciated your help 🙂

    Regards,

  7. Hello Stephan,

    Concerning the locked.properties information you found in a 7.0 version of the documentation. Here are the links to the 7.4 version:

    Allow HTML Access Through a Load Balancer:
    https://docs.vmware.com/en/VMware-Horizon-7/7.4/horizon-installation/GUID-BFF2E726-A5EB-4105-A0EA-F3D718C5880E.html#GUID-BFF2E726-A5EB-4105-A0EA-F3D718C5880E

    Allow HTML Access Through a Gateway:
    https://docs.vmware.com/en/VMware-Horizon-7/7.4/horizon-installation/GUID-FE26A9DE-E344-42EC-A1EE-E1389299B793.html

  8. This error also appears with Microsoft’s Edge browser, but has the same solution.

  9. Hello,

    Very nice tips. Thank you for sharing.

    For me didn’t work… We have 1 Internal VIP for our 2 Connection Server then we have 1 External VIP for our 2 UAG servers.

    When we used the Horizon Client the connection work with the External VIP but not with HTML access same error that in Internal network. But when we are in internal network we stuck with the Internal VIP with HTML access and Horizon client. only success with direct ip of 1 of Connection Server. So with HTML access, We arrive on the login page, then login successfully, click on Desktop pool then the page reloaded in loop… we can see during the loop that he tried to load the following URL : https://ip-internal-vip/portal/webclient/index.html#/blastdesktop but only for 2 seconds then he back to the launchitems menu : https://ip-internal-vip/portal/webclient/index.html#/launchitems

    It is horrible… Someone have a idea ?

    From Firewall and F5 configurations we are on “any permissions” to avoid the bad configurations from network devices…

    Thank you very much.

  10. Hey admpro,

    There could be a few things causing your issue. Check in to the following:

    1) There’s an issue where when accessing internally or via a VPN, connection servers with an FQDN that doesn’t match the case of the computer name and/or SSL certificate, can cause issues. VMWare KB 2106968 at: https://kb.vmware.com/s/article/2106968

    2) On your internal connection servers, have you disabled the proper internal secure gateways? According to best practice, when provisioning UAGs, you must disable the secure gateways on the connection server. VMware Document at https://docs.vmware.com/en/Unified-Access-Gateway/3.1/uag-31-deploy-config-guide.pdf
    On Page 31, quoted: “Disable the secure gateways (Blast Secure Gateway and PCoIP Secure Gateway) on Horizon
    Connection Server instances and enable these gateways on the Unified Access Gateway appliances.”

    Let me know if these help.

    Cheers,
    Stephen

  11. Hey Stephen

    thank you very much for your very quickly answer !!!

    Yes, i have make the correction. I have created a DNS with the VIP internal. Now the connection work with Horizon Client.

    So i’m ok with horizon client with Internal VIP and External VIP.

    Now the last problem is the HTML access with Int and Ext VIPs.

    About your second point. Yes all the boxes from view connection servers has been unchecked.

    I see on the web that maybe he can from the “route” what do you think about this ? Adding route between UAG to CS or VDI ?

    Thanks again.

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)