Introduction

By default, VMware Horizon has a couple of security features enabled, as you can read in the following VMware KB.

These security features check the URL where the user is originating from. This URL needs to be known to the connection server where the request reaches. For example, If these users click on badguy.com, and this redirects them to the VMware Horizon environment, The VMware Horizon Connection servers will reject the request.

An overview of these security features is shown in the following table:

These security features resulted in the following symptoms when accessing the Horizon environment through HTML access:

• Users and administrators saw a “Waiting” screen in the browser and nothing happened
• An alert appeared “Failed to connect to the Horizon Connection Server” when authenticating to VMware Horizon.

locked.properties file

As a best practice, you should not disable these security features, as described here and here.

One way to configure the correct security settings is by creating the “%install_directory%\VMware\VMware View\Server\sslgateway\conf\locked.properties” file on each Horizon Connection server to include the VMware Horizon Load Balance FQDN(s) (both external and internal can be specified) and, optionally, also include the individual Connection Server FQDNs. For example:

balancedHost.1 = horizon.cloudworkspaceservices.com
balancedHost.2 = horizoninternal.cloudworkspaceservices.local
portalHost.1 = hzncs01.cloudworkspaceservices.local
portalHost.2 = hzncs02.cloudworkspaceservices.local
portalHost.3 = hzncs03.cloudworkspaceservices.local

When done, you will need to restart the “VMware Horizon View Connection Server” service on each Horizon Connection server. Please note, this can take up to 5 minutes to complete per Connection Server.

Enable Host Redirection

The locked.properties file solution works great, however, you still need to create and edit the file on each server manually. This configuration is also not stored in the AD LDS database, meaning it can be subject to change when upgrading to a new server OS or Horizon version.

A better way to configure the correct security settings is by enabling the Host Redirection feature, which was first introduced in Horizon 2209.

“When using the feature, an HTTP request from a load balancer host reaches the Connection Server, the Connection Server responds with an external HTTP redirection URL. For subsequent requests, the Horizon Client directly connects to the Connection Server using the external URL, thereby minimizing misroutes that might occur at the load balancer.”

The following steps are required to enable this feature on each Horizon Connection server:

1. In Horizon Console, select Settings > Servers.
2. On the Connection Servers tab, select a Connection Server instance and click Edit.
3. On the General tab, select the Enable Host Redirection check box.
4. Enter one or more load balancer FQDN(s) in the text box by clicking the plus sign (“+”) to the right of the text box to add the FQDN.

Screenshot:

When completed, restart the “VMware Horizon View Connection Server” service on each Horizon Connection server.

On each Horizon Connection server, we see now that the file “%install_directory%\VMware\VMware View\Server\sslgateway\conf\config.properties” has changed.

Unlike the locked.properties method, it’s not necessary to add the individual VMware Horizon Connection Server FQDNs to access the Horizon Connection servers individually.

That’s it!