Thursday, January 14, 2016

Enabling TLS 1.0 for VMware Horizon View 6.2.1 to allow Horizon View 3.3 or older clients to connect

Problem

As a follow up to one of my previous posts:

Upgrading from VMware Horizon View 6.0.1 to 6.2.1 causes connections to throw the error: “Unable to connect to desktop: There is no available gateway for the display protocol. Try again, or contact your administrator if this problem persists.”
http://terenceluk.blogspot.com/2016/01/upgrading-from-vmware-horizon-view-601.html

I finally got a chance to take some time to test the following KB that outlines the steps required to enable TLS 1.0 for backward compatibility with VMware Horizon View 6.2.0 and earlier:

Configure security protocols for PCoIP for Horizon 6 version 6.2 and later, and Horizon Client 3.5 and later (2130798)
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2130798

To provide a bit of background for the issue, let me reference the release notes found at the following URL that describes the TLS changes to PCoIP connections:

Release Notes for VMware Horizon 6 version 6.2.1
https://pubs.vmware.com/Release_Notes/en/horizon-6-view/horizon-621-view-release-notes.html

What's New in This Release of Horizon 6

  • VMware Horizon View 6.2.1 is a maintenance release. Some known issues from previous releases are resolved. For more information, see Resolved Issues.
  • To improve security, SSLv3 is no longer supported. By default, TLS 1.1 and TLS 1.2 are enabled. TLS 1.0 is enabled for outgoing connections to support vSphere 5.x, but is disabled for incoming connections. If the vSphere version is 6.x, it is recommended that TLS 1.0 be disabled for outgoing connections.
  • For PCoIP connections, by default, TLS 1.1 and TLS 1.2 are enabled and TLS 1.0 is disabled. Horizon Client 3.3 and earlier versions use only TLS 1.0 for PCoIP. View Agent versions earlier than 6.2 also use only TLS 1.0. To support Horizon Client 3.3 and earlier versions, as well as View Agent 6.1.x and earlier versions, if you use the PCoIP Secure Gateway, you can enable TLS 1.0 for PCoIP connections by following the instructions in KB 2130798, Configure security protocols for PCoIP for Horizon 6 version 6.2 and later, and Horizon Client 3.5 and later.
  • For Blast Secure Gateway and the HTML Access agent, by default, TLS 1.1 and TLS 1.2 are enabled and TLS 1.0 is disabled. You can configure the security protocols and cipher suites for both components. See Configuring Security Protocols and Cipher Suites for Blast Secure Gateway in the View Security document and Configure Security Protocols and Cipher Suites for HTML Access Agent in the Horizon Client and View Agent Security document.
  • Linux desktops now support clipboard redirection, single sign-on, and smart card redirection. The Setting Up Horizon 6 for Linux Desktops guide also documents additional bulk-deployment scripts.

The text highlighted in red are the changes to TLS that could potentially cause connectivity issues between older VMware View or Horizon View clients due to TLS 1.0 being disabled.

Testing Environment

With the background of the issue described let me begin by listing the details of the environment I used for testing:

Horizon View Connection Servers: 2 (1 for external connections and 1 for internal connections)
Horizon View Connection Server Version: 6.2.1-3284346
Horizon View Security Server Version: 6.2.1-3284346
Horizon View Agent: 6.2.1-3284346

Internal Connection Tests - Use PCoIP Secure Gateway for PCoIP connects to machine is Disabled

The View Connection server currently has the following settings configured:

Use secure Tunnel connection to machine: disabled

Use PCoIP Secure Gateway for PCoIP connections to machine: disabled

Use Blast Secure Gateway for HTML access to machine: disabled

image

Attempting to access this environment with one of the Wyse Windows Embedded thin clients with an unsupported Horizon Client 3.1.0 build-2085634:

image

… will display a blackscreen for a few seconds then disconnect with the following error:

The connection to the remote computer ended.

image

As per the KB article mentioned above:

Configure security protocols for PCoIP for Horizon 6 version 6.2 and later, and Horizon Client 3.5 and later (2130798)
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2130798

I proceeded to add the following registry key to my virtual desktop with the 6.2.1 agent in a pool:

HKLM\Software\Teradici\PCoIP\pcoip_admin
Name: pcoip.ssl_protocol
Type: REG_SZ
Value: TLS1.0:TLS1.1:TLS1.2

The registry can either be manually added or the following command can be executed:

reg add "HKLM\Software\Teradici\PCoIP\pcoip_admin" /v "pcoip.ssl_protocol" /t REG_SZ /d TLS1.0:TLS1.1:TLS1.2 /f

image

From here, connections to the virtual desktop with the unsupported Horizon Client 3.1.0 build-2085634 completes successfully without any errors.

Internal Connection Tests - Use PCoIP Secure Gateway for PCoIP connects to machine is Enabled

Changing the View Connection server’s settings to:

Use secure Tunnel connection to machine: enabled

Use PCoIP Secure Gateway for PCoIP connections to machine: enabled

Use Blast Secure Gateway for HTML access to machine: disabled

image

… with the registry added and then attempting to connect to the virtual desktop with the unsupported Horizon Client 3.1.0 build-2085634 fails with the error:

The connection to the remote computer ended.

Proceeding to add the following registry key to the view connection server:

HKLM\Software\Teradici\SecurityGateway
Name: SSLProtocol
Type: REG_SZ
Value: tls1.2:tls1.1:tls1.0

… either via:

reg add "HKLM\Software\Teradici\SecurityGateway" /v "SSLProtocol" /t REG_SZ /d tls1.2:tls1.1:tls1.0 /f

… or manually via the registry editor:

image

Then attempting to connect to the virtual desktop with the unsupported Horizon Client 3.1.0 build-2085634 fails with the same error message.

Note that I tried multiple troubleshooting steps but was unable to get internal View Horizon Clients that were older than 3.3 to successfully connect.

External Connection Tests

Logging onto the VMware Horizon View Security server and adding the registry key:

HKLM\Software\Teradici\SecurityGateway
Name: SSLProtocol
Type: REG_SZ
Value: tls1.2:tls1.1:tls1.0

… either manually through the regisry editor or via:

reg add "HKLM\Software\Teradici\SecurityGateway" /v "SSLProtocol" /t REG_SZ /d tls1.2:tls1.1:tls1.0 /f

… allows me to connect successfully connect with an unsupported Horizon Client 3.1.0 build-2085634.  However, attempting to connect with an even older View Client 5.0.0 build-481677:

image

image

… will through the following error:

The View Connection Server connection failed. A security error occurred.

image

It’s worth noting that I did not add the registry key to the View Connection server that was paired with the View Security server as it did not appear to matter.

Conclusion

The conclusion from my tests is as follows:

  1. I was able to use the registry entry to provide access to View Connection Server 6.2.1 and View Agent 6.2.1 from an unsupported TLS 1.0 client if I am not using PCoIP Secure Gateway for PCoIP connections to the machine meaning your View client is just being brokered directly to virtual desktop
  2. I was unable to use the registry entry to provide access to View Connection Server 6.2.1 and View Agent 6.2.1 from an unsupported TLS 1.0 client if I am using PCoIP Secure Gateway for PCoIP connections to the machine meaning your View client actually traverses through the View Connection server in order to connect to the virtual desktop
  3. I was able to use the registry entry to provide access external access through the View Security Server 6.2.1 and View Agent 6.2.1 from an unsupported TLS 1.0 client by adding the registry entry on the Security server and View agent

What had me stumped at the end of this test was why I could not get #2 to work so comments on what I did incorrectly are welcomed.

I hope this helps anyone who may come across this issue.

7 comments:

Anonymous said...

I just ran into this same problem with 6.2.2. I appreciate the thorough write up. Here's hoping that VMWare support has a solution that we can use to solve this without having to upgrade every agent overnight.

Andre Atkinson said...

Any update on this project? I am about to attempt to upgrade from 6.0.1 to 6.2.2.

Haman David said...

I have upgraded our horizon environment from 6.0.x to the latest 6.2.2 build 3508079. Now our external VIP to our sec servers as well as our internal VIP to our internal connection servers. The vips are configured on F5 Big Ips. What exactly has changed in view that has broken this? The thing is that you can login directly to the security servers and connection servers directly without issue. F5 points at Vmware, and Vmware points TO f5. I just want to get to the bottom of this before I have to revert. We POC'd 6.2.0 build-3005368 and the vip no longer worked until we changed the HTTPS check on the vip on the F5 to http. No such luck with the latest 6.2.2 release though.

Anonymous said...

at the step: Internal Connection Tests - Use PCoIP Secure Gateway for PCoIP connects to machine is Enabled

When u add the registry keys and reboot the connection server the connection is working even with an older view client.

Haman David said...

Wound up being an F5 firmware compatibility issue. The firmware was upgraded and the issue has now been resolved.

Javier Rodriguez said...

Thanks for the post. I recently upgraded to Horizon 7 and there are some websites that I can't open on IE. I connect from outside the virtual desktop with no problems, but from IE inside the Virtual Desktop shows me the can't open page error. Any ideas on this?

Unknown said...

Thanks for providing this informative information…..
You may also refer- http://www.s4techno.com/blog/category/vmware/