Eric Monjoin
Staff Consulting Architect but also pilot, spending time in front of my computer or flying in the air...

Lets talk about End User Computing Because we worth it ...

Shibboleth as IdP for Workspace ONE Access

Recently I had to work on a project that imply Shibboleth as IdP (Identity Provider), so you will see below how to configure it in Workspace One Access as a 3rd party IdP.

One of the major issue with Shibboleth (in my case) is it only provides a samAccountName but not a UserPrincipalName (upn), so basically the User name without the domain name (eg. e.monjoin but not e.monjoin@mydomain.dom). It works in many situation excepted in a multi domain configuration where you can potentially have the same username in two different domain and you have a trust relationship between them (eg. e.monjoin@finance.domain.com and e.monjoin@technical.domain.com). In this case WS1 Access will not be able to choose a account you will see the following error :

Running VMware Unified Access Gateway on Hyper-V

Ok okkkkkk, I know that could be weird at first sight but I had a request from a customer to assist in the deployment of UAG 3.9 on Hyper-V in a “Dual DMZ” configuration.

The Back End UAG is deployed on vSphere but the the front-end should run on the DMZ hypervisors who are…. Windows 2019 Core / Hyper-V

So when we look at the files required to perform this installation we need to download 2 files :

  • Unifed Access Gateway (UAG) 3.9 PowerShell scripts to get all scripts to deploy the appliance
  • Unifed Access Gateway (UAG) 3.9 for Microsoft Azure to have .vhd file so Hyper-V disk format file.

App Volumes, load balancer health check

I recently had an issue with one of my App Volumes server: even if my server was down in an App Volumes point of view (connection lost the database), my Kemp load balancer see it up and running because: the web interface was up and favicon.ico was also available.

The template for App Volumes (part of Horizon 7 Template) is, in my opinion not complete and it missed the right way to configure health check

So the right way to configure load balancer ‘s health check is the following :

For Kemp :

Moving Workspace One Access database to a new MS SQL Server

I had to validate how to migrate WS1 Access database to another SQL Server.

This test concerns a dual-site configuration with 3 active nodes (R/W) on Site-A et 3 passive nodes on site B (R/O).

The first thin I did, was to set all nodes to passive (so read-only for all) so no more update will be done on the database.

After that I made a SQL backup of my database and copied it the new MS SQL Server.

VMware Horizon on Windows Server Core 2019

I recently have a customer requesting to install VMware Horizon on a Windows 2019 Core server. Most of customers prefer to have the “Desktop Experience” but for security reason some other prefer to limit to shell only interface.

Before installing VMware Horizon, ensure that all updates are applied to Windows 2019 Core (I had some strange behavior before doing that, like impossible to have the Flex Admin console or get “Login failed” on the new HTML 5 consoles)

The first main concern is getting signed certificate ready so Horizon will use it instead of its self signed certificate.

After copying the certificate in a local folder :

1 ) From the Administrator command prompt, type “powershell” to execute PowerShell command

PFX to PEM

When working on EUC and SDDC solutions (and yes now for everything) we have to use certificates.

I mostly used Microsoft Certificate Services for all my internal servers and a Public wildcard certificate for external access. So to create certificate, the best is to used the Windows MMC and the export the certificate as .PFX to get both the certificate and the private key used to generate it.

However some product like Workspace One Access ask for certificate as PEM format so I used the following script to convert PFX to PEM with OpenSSL.

It’s a batch script who need two arguments, the first one is the name of the certificate without the extension and the second argument is the password used to encrypt Private key

Eg. my PFX certificate is myserver.mydomain.local.pfx so I juste have to type : pfx2pem.bat myserver.mydomain.local mypassword

Composer Firewall Port

Ok by default Composer must be in the same domain or at list have Trust Relationship with domains where Linked Clone will be deployed….

But with Composer you can also deploy on other domains, the caveat however is that you can’t browse the OU on Horizon Admin console so you need to Copy/Past or write the full path for the correct OU.

That said, if you look at the firewall port required by Composer, unless 18433 between Horizon Connection Server (brokers) and Composer plus 1433 to join the Ms SQL Server, nothing is really explained and a doubt can exist about which port is required (and also who create account in the domain). So here the answer 🙂 :

First I confirm, Composer server is responsible to reach the AD domains and create Computer accounts. So the required port are :

Source                  Destination        Ports                 Service

Composer           AD Controllers   88/TCP                  Kerberos

Composer           AD Controllers   135/TCP               RPC

Composer           AD Controllers   389/TCP               LDAP

Unified Access Gateway and .local domain

Since recent release of Unified Access Gateway (I guess starting with 3.7 as I didn’t remember having any issue with version 3.6), the appliance is not using the configured DNS and when looking at /etc/resolv.conf it’s using a internal IP of 127.0.0.53 to perform queries.

After digging into internet I found some post about this and to make it short the solution is to edit /etc/systemd/resolved.conf and comment out “Domains=” and specify your local domain :