Install VMware Horizon 7 Lets Encrypt SSL Certificate

0

If you have ever used Let’s Encrypt SSL certificates, you know they are easy to use and free! The free part is the best part of the solution. Especially if you run a home lab, Let’s Encrypt provides a great option for installing proper certificates in your environment. What about VMware Horizon? I wanted to go through the steps to show how to install a Let’s Encrypt certificate in a VMware Horizon environment. How do you do this for your UAG box and your Load balancer as well as DNS configuration considerations for internal clients? Let’s look at how to install VMware Horizon 7 Lets Encrypt SSL certificate and see how this can be done.

What is Let’s Encrypt?

First, what if Let’s Encrypt is totally foreign to you? What is it? By their own defination, they are a free, automated, and open certificate authority CA that has been established for the benefit of the public. It is provided by the Internet Security REsearch Group (ISRG).

Since the security of the data that is transmitted across the Internet relies on SSL encryption, SSL certs are a huge deal. You want to have SSL certificates installed on all your forward facing sites, and other services. By now that should be a basic requirement that is by default, no questions asked.

Now that we have great resources like Let’s Encrypt, it makes SSL certificates a non issue from a cost perspective as well. What are the key concepts behind Let’s Encrypt?

  • It’s free
  • It can be automatically configured to renew, etc
  • Secure – uses TLS security best practices
  • Transparent security – all certs are available for viewing and scrutiny
  • Open standard
  • Joint effort – Let’s Encrypt is a joint effort to benefit the Internet community with better security across the board

Install VMware Horizon 7 Lets Encrypt SSL Certificate

The workflow that I will be following to install Let’s Encrypt certificates in my VMware Horizon 7 environment is as follows:

  • On the Windows-based Horizon Connection Server, run the Let’s Encrypt “win-acme” program to generate the certificate in the local certificate store
  • Also generate a PEM formatted certificate for use on the UAG boxes
  • Install the Let’s Encrypt certificate on UAG boxes
  • Install the Let’s Encrypt certificate on Load balancer in front of connection servers
  • Reconfigure the thumbprint of the certificate on the UAG boxes to match the new thumbprint presented by the Let’s encrypt certificate
  • Test

Running the Win-Acme Tool

Let’s Encrypt has a free tool available on Github that can be used for creating, or renewing your certificates. We will use this to generate a new certificate for our Horizon environment.

The win-acme tool is basically a wizard via the command line that provides a workflow based on the inputs you give to the menus. Here we are going to Create new certificates with advanced options.

Run-the-Lets-Encrypt-win-acme-tool-to-generate-a-new-SSL-certificate-for-VMware-Horizon-7 Install VMware Horizon 7 Lets Encrypt SSL Certificate
Run the Let’s Encrypt win-acme tool to generate a new SSL certificate for VMware Horizon 7

Here we are choosing to manually input the host names.

Choosing-to-manually-create-your-SSL-certificate Install VMware Horizon 7 Lets Encrypt SSL Certificate
Choosing to manually create your SSL certificate

Next, choose the hostname and friendly name for the certificate.

Choosing-hostname-and-friendly-name Install VMware Horizon 7 Lets Encrypt SSL Certificate
Choosing hostname and friendly name

Choose how you want to validate the certificate. There are many options for this including from memory, DNS records, scripts, and others. Also, we are going to place the certificate in the certificate store of the Horizon connection server.

A note here, the cert created in the certificate store is not actually going to be assigned to the Connection Server. However, placing it here gives you options to export and other capabilities. The PEM files will be used to import to the UAG boxes.

Choosing-validation-and-CSR-options Install VMware Horizon 7 Lets Encrypt SSL Certificate
Choosing validation and CSR options

In the next step, as mentioned, we are creating PEM files in addition to the certificate store placement. This will produce the PEM format needed for the UAG boxes without having to do any converting using OpenSSL. You have to define a path for the output of the PEM files.

Choosing-additional-certificate-storage-options Install VMware Horizon 7 Lets Encrypt SSL Certificate
Choosing additional certificate storage options

Finally, the utility actually creates the certificate and outputs the additional PEM files to the folder.

Lets-Encrypt-Certificate-is-created-and-additional-PEM-export-also Install VMware Horizon 7 Lets Encrypt SSL Certificate
Let’s Encrypt Certificate is created and additional PEM export also

You get two PEM files. One is the PEM “key” and the other is the certificate.

Lets-Encrypt-PEM-files-are-exported-to-the-folder-defined-1 Install VMware Horizon 7 Lets Encrypt SSL Certificate
Let’s Encrypt PEM files are exported to the folder defined

Install the Let’s Encrypt PEM SSL Certificate on the UAG boxes

Login to your UAG admin interface. Navigate to Advanced Settings > TLS Server Certificate Settings

Viewing-the-Unified-Access-Gateway-UAG-TLS-certificate-settings Install VMware Horizon 7 Lets Encrypt SSL Certificate
Viewing the Unified Access Gateway UAG TLS certificate settings

Now, I have copied my certificate files to my admin workstation that were created on the Horizon Connection Server to a folder on my desktop. After logging into the UAG box, I select key and chain files accordingly for the TLS Server Certificate settings.

Choose-the-certificate-files-that-you-created-with-the-Lets-Encrypt-utility-and-upload-to-UAG Install VMware Horizon 7 Lets Encrypt SSL Certificate
Choose the certificate files that you created with the Let’s Encrypt utility and upload to UAG

Once you save the new certificate, your browser will display the message similar to below. Depending on which options you select, the message will display what services the certificate is applied to.

Save-your-certificate-changes Install VMware Horizon 7 Lets Encrypt SSL Certificate
Save your certificate changes

Once you refresh your browser session, you can view the certificate that is presented and make sure it is the new certificate you have installed. You can verify this by the Issued to as well as the Valid from fields.

Check-the-SSL-certificate-on-your-UAG-box-to-make-sure-it-is-the-one-expected Install VMware Horizon 7 Lets Encrypt SSL Certificate
Check the SSL certificate on your UAG box to make sure it is the one expected

After installing on the UAG boxes, if you have a load balancer in your environment, you can also install your new cert there as well. I have a load balancer in front of my connection servers in the lab.

I can install the cert here as well. Then, using DNS, I can point clients to the proper name internally with the cert on the load balancer as well as have the cert on the UAG boxes for external access.

For a tutorial on standing up an easy Horizon load balancer, see here:

Adding-the-certificate-on-your-Load-balancer Install VMware Horizon 7 Lets Encrypt SSL Certificate
Adding the certificate on your Load balancer

There is another step we need to take. The UAG box relies on the correct thumbprint on the cert to make a connection to the Horizon edge services. As you can see below, we now have an error on the Horizon Destination Server due to the cert thumbprint changing.

Horizon-Connection-server-connection-from-UAG-will-be-broken-without-the-right-thumbprint Install VMware Horizon 7 Lets Encrypt SSL Certificate
Horizon Connection server connection from UAG will be broken without the right thumbprint

Since I am pointing from the UAG box to my load balancer, I need to get the thumbprint from the new certificate that I now have installed on the load balancer. Open a browser, view your cert, and get the Thumbprint value.

Get-the-thumbprint-of-the-certificate-to-add-to-the-UAG-box Install VMware Horizon 7 Lets Encrypt SSL Certificate
Get the thumbprint of the certificate to add to the UAG box

Go back to your UAG and under Horizon settings replace the Connection SErver URL Thumbprint with the new value. The format is to start the string with sha1= and then your thumbprint with a space in between every two characters.

Enter-the-thumprint-you-get-from-viewing-the-certificate-in-the-browser Install VMware Horizon 7 Lets Encrypt SSL Certificate
Enter the thumprint you get from viewing the certificate in the browser

After replacing the certificate thumbprint value and refreshing the services, we now have all green.

Horizon-Connection-server-services-should-now-show-all-green-from-the-UAG-box Install VMware Horizon 7 Lets Encrypt SSL Certificate
Horizon Connection server services should now show all green from the UAG box

Wrapping Up

The process to Install VMware Horizon 7 Lets Encrypt SSL Certificate in your environment is pretty straightforward. Using the utility, you can easily spin up a new certificate in the correct PEM format to install on your UAG boxes.

As shown, a few other steps may be required if you are using a load balancer. Also, you will need to replace the thumbprint on your UAG box pointed to the connection server environment, whether this is the load balancer or a direct connection with your Horizon Connection Server. However, this is a standard step you have to perform regardless.

StarWind VSAN