Deploy VMware EUC Access Point with wildcard SSL certificates for Horizon 7 access


The challenge

So you have just built your shiny new VMware Horizon 7 VDI cluster but now you want to publish it externally. There are two ways this can be achieved, you can either use the VMware Horizon Security Server role or you can grab a copy of the VMware EUC Access Point from the Identity Manager download section. I chose the latter so you don’t have another instance of the ADAM database to rely on for Horizon 7 to function correctly. My environment is pretty simple, there is a connection server for internal access and a connection server to broker external access to a instant clone desktop pool. The EUC Access Gateway sits in a DMZ.

The solution

This solution assumes you already have an SSL certificate for use with the EUC Access gateway in PFX format and a DMZ.

The EUC Access Gateway is deployed from an OVF file. I use the excellent VMware Fling ,VMware Access Point Deployment utility , found here https://labs.vmware.com/flings/vmware-access-point-deployment-utility to deploy automate the OVF deployment. You will also need a copy of the VMware OVT Tool to deploy the OVF file. This can be downloaded here https://www.vmware.com/support/developer/ovf/

Step 1 – Extract certificate chain and key from PFX file

You will need to export your PFX certificate to .PEM file format as well as extracting the key from the cert. You will need OpenSSL to perform this.

The first command to run is :

openssl pkcs12 -in CertifcateName.pfx -out CertificateName.pem -nodes

If the PFX file is password protected, you will be prompted to enter your password

The second command to run is :

openssl rsa -in CertifcateName.pem -out CertificateName.key

You should end up with 2 new files as below

Now edit the PEM file with your favourite text editor and remove any text that is not contained between the —–BEGIN CERTIFICATE—–and the —–END CERTIFICATE—– sections as highlighted below in red.

You only want to be left with the hash between the begin and end certificate sections. You may find there are multiple sections that contain BEGIN and END. You need all of these as they make up the certificate, any intermediate certificates and the root certificate.

Save the files and move onto step 2.

Step 2 – Configuring EUC Access Gateway Fling

They say a picture speaks a thousand words…

I think most of those items are self explanatory. The external IP address will be the IP address the appliance will have on the DMZ network. External Network is the name of the VM port group. Tick the 2 boxes highlighted in yellow to enable additional settings for View and SSL certificates. Paste the contents of the KEY and PEM file into the boxes as shown. There will be a box to click which will format the certificate chains correctly.

The one thing that you will not have collected for the above is the View Thumbprint. This again assumes you have already applied an SSL certificate to your View Connection server. Check the properties of the certificate and grab the thumbprint as below

Once you have all those details filled in, hit the Deploy Access Point Appliance and sit back and relax until the progress box is complete

Step 3 – Is it working?

Once the OVF has deployed you can check and make sure the appliance VM is booting as expected

Once thee appliance has booted, you should be able to connect to the Access point URL you specified in the deployment wizard and see something similar to this with a valid SSL certificate.

And your done.

 

Hopefully this helps you out.

 

Ian

Leave a comment

Your email address will not be published. Required fields are marked *