Custom Thumbprints for Horizon 7

Custom thumbprints allow the use of separate certificates for Blast TCP and VMware Tunnel connections since VMware Unified Access Gateway 3.4, the configuration can be done in the UAG administrative console or through PowerShell INI, according to https://techzone.vmware.com/blog/whats-new-vmware-unified-access-gateway-34.

Before this improvement, Horizon native client would encounter certificate thumbprint mismatch issue if you are using Nginx to reverse proxy to an Unified Access Gateway for Horizon View.

Here’s an example:

Reverse Proxy: nginx.bj.st

UAG: 10.117.43.230 gateway-04.uag.com (and the backend interface is in 172.16/16 subnet which connect to Horizon Connection Server)

Horizon Connection Server: 172.16.1.104 rp-01.uag.com

Disable Tunnel and BSG on Horizon Connection Server.

Enable Tunnel and BSG on UAG, external url using nginx.bj.st

Nginx configuration:

Create a configuration file for Nginx as /etc/nginx/endtoendencryption.conf:

stream {
    upstream UAGserverGroup {
        # Please make sure the correct IP of the UAG is entered here
        server 10.117.43.230:443;
    }
        upstream ABSGservergroup {
        # Please make sure the correct IP of the UAG is entered here
        server 10.117.43.230:8443;
    }
 
    server {
        listen 443 ssl;
        # This is the internet to nginx traffic SSL termination related data
        ssl_certificate   /etc/nginx/keys/nginx.crt;
        ssl_certificate_key /etc/nginx/keys/nginx.key;
        ssl_protocols           TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers   ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
        ssl_prefer_server_ciphers  off;
        ssl_session_cache    shared:SSL:1m; # a 1mb cache can hold about 4000 sessions,
        ssl_session_timeout  24h;
        #keepalive_timeout 300; # up from 75 secs default
   
        # This is nginx traffic new SSL session between nginx and backend server
        proxy_ssl  on;
        proxy_pass UAGservergroup;
    }
    server {
        listen 8443 ssl;
        # This is the internet to nginx traffic SSL termination related data
        ssl_certificate   /etc/nginx/keys/nginx.crt;
        ssl_certificate_key /etc/nginx/keys/nginx.key;
        ssl_protocols           TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers   ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
        ssl_prefer_server_ciphers  off;
        ssl_session_cache    shared:SSL:1m; # a 1mb cache can hold about 4000 sessions,
        ssl_session_timeout  24h;
        #keepalive_timeout 300; # up from 75 secs default
   
        # This is nginx traffic new SSL session between nginx and backend server
        proxy_ssl  on;
        proxy_pass ABSGservergroup;
    }
}

Notice that both 443 and 8443 have been configured, ssl_certificate and key also located.

Edit /etc/nginx/nginx.conf, add “include /etc/nginx/endtoendencryption.conf;” to the end of http block.

http {
...
...
}
include /etc/nginx/endtoendencryption.conf;

Try “nginx -t” to validate the configuration and “service nginx reload” to reload it.

UAG configuration:

Try connect Nginx hostname from Horizon native client and launch VDI or application via Blast Protocol, issue should be resolved.