VMware Horizon Workspace – Part 2 – Configure Nginx as Frontend with Microsoft CA

So yesterday, VMware released Horizon Workspace 1.5. HUGE improvement over the GA release… Holey smokes. Any further tutorials will reference this version.

Anyways, more to the point. In this post I will demonstrate how to do a base configuration of Horizon Workspace using an internal Microsoft Certificate Authority with Nginx as a frontend. This setup is only acceptable for setting up workspace in a lab environment, since in a production environment you’ll need a trusted third party cert. Doing this in a lab environment is important because it will allow you to set up and test every feature you’ll be using in a production environment.

Requirements:

  • Microsoft Active Directory Certificate Services
  • Linux Machine running Nginx
  • Horizon Workspace 1.5 Downloaded and installed with no configuration.
    • We’ll be using the workspace FQDN of hzn.test.in (This obviously assumes the domain of test.in)

  1. On Linux machine, generate private key(1) and CSR(2)
  2. Take CSR and get a certificate from your internal Domain CA. Download the certificate. Rename it as hzn.test.in.crt
  3. Download your internal Domain CA root key
    1. On the machine running AD Cert Services, open the command line and type the following command:
    2. [text]certutil -ca.cert %userprofile%\Desktop\test.in-root.cer[/text]
  4. Ensure that Nginx is forwarding traffic correctly to the gateway-va. Below is a snippet (Entries in square brackets need to be changed]:
    1. [text]
      server {
      listen [load balancer IP];
      server_name hzn.test.in;
      ssl on;
      ssl_certificate [path to]hzn.test.in.crt
      ssl_certificate_key [path to]hzn.test.in.key

      location / {
      proxy_pass https://gateway-va.test.in:443/;
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_read_timeout 1800;
      proxy_connect_timeout 1800;
      }
      [/text]

  5. Place your domain root ca key (gathered in step 3) into the configurator web interface
    1. Open the web interface and navigate to the FQDN & SSL section
    2. Select Yes under External Load Balancer
    3. Enter: hzn.test.in:443 in the Horizon Workspace FQDN section
    4. Paste the domain root ca key in the “Load Balancer Root CA Certificate” section.
  6. You’re all set!  You can now log into the Horizon Workspace Admin page by navigating to https://hzn.test.in/admin

I’d be happy to answer any questions on this. Feel free to post a comment if you like. I’ll answer any questions I can.

3 thoughts on “VMware Horizon Workspace – Part 2 – Configure Nginx as Frontend with Microsoft CA

  1. Hi,

    thank you for you great post. But i have still a question.

    I first installed the vapp in our network just for local network use. Now we decided to configure it to get external access.

    We use Kemp as Load Balancer in the DMZ. But if i come from WAN on workspace.**.de i get a access denied page from my horizon . Do you know what this can be?

    Also if i will change on configurator-va on fqdn and ssl from internal to use external load balancer and save the new config it did not change. how can that be?

    hope to hear from you soon.

    Best Regards
    Rob

  2. Hey Rob,

    Glad you liked the post, you can keep an eye out for more workspace posts as time goes on.

    I have not used Kemp, so I can’t really speak to whether or not there’s an issue there.

    I’ve got a couple of questions that might help identify the error:

    1.) Are you using an internal or external postgres database? I’ve seen an access denied error when using an incorrectly configured external db.

    2.) Does your Workspace FQDN point to your load balancer?

    3.) Did you paste a cert into the field when trying to switch to the external load balancer?

    4.) Do you get any error messages while switching to an external load balancer?

Leave a Reply to Robert Riemer Cancel reply

Your email address will not be published. Required fields are marked *

Copyright VirtJunkie.com © 2020
Click to access the login or register cheese