Posts

Horizon View BLAST error in Chrome browser

We did an update of our Horizon View environment from version 7.4 to version 7.5.1. After the update we noticed something strange. Everything was working except for the BLAST client on the Chrome browser. Other browsers didn’t give errors and worked, but Chrome threw the error: “Failed to connect to the Connection Server”.

After some searching in the VMware knowledge base, I found that the error has something to do with security. The View Security document talks about Cross-Origin Resource Sharing (CORS) as the feature that handles the policies in regard to HTTP request. (https://docs.vmware.com/en/VMware-Horizon-7/7.5/horizon-security.pdf). This means that when an URL is used that is not the same as the listening domain, or when multiple domains are used, the policies can block access because the actions are considered not secure (like there could be a man in the middle attack).

In our case we have two URL’s to the Connection Servers. The first is a loadbalanced URL (http://ViewDesktop.LocalDomain) and the second is a direct URL to the Connection Server (http://HostName.LocalDomain). We noticed that the direct URL didn’t gave problems, but de loadbalanced URL did. So it seems clear that the problem must have something to do with CORS and in specific with the Chrome browser.

When we read a little bit further in the security documentation we’ll see an explanation for our Chrome problem: “Chrome extension clients set their initial Origin to their own identity. To allow connections to succeed, register the extension by adding a chromeExtension entry to the locked.properties file”.

Now, all CORS related settings are set in the file called locked.properties. You can find the file on your View Connection and Security Servers in the folder C:\Program Files\VMware\VMware View\Server\sslgateway\conf\ and if it doesn’t yet exist, you can simply create it.

So now that we know the problem in the Chrome browser seems to be coming from a security feature, how do we fix the problem? There are multiple solutions to solve this problem, which all include the locked.properties file.

  1. Disable CORS altogether. Not the most elegant solution.
  2. Set the checkOrigin property to “false”. This is probably not the option that you want. Though it works, it disables the security check. (https://kb.vmware.com/s/article/2144768)
  3. Set the balancedHost property to the URL on which you connect. This is a good option as you specify the loadbalanced address that is used by View. (https://docs.vmware.com/en/VMware-Horizon-7/7.4/horizon-installation/GUID-BFF2E726-A5EB-4105-A0EA-F3D718C5880E.html#GUID-BFF2E726-A5EB-4105-A0EA-F3D718C5880E)
  4. Set the property “chromeExtension.1=bpifadopbphhpkkcfohecfadckmpjmjd” in the locked.properties file. This is the best option for us as it is tailored to the issue that we are facing. (https://docs.vmware.com/en/VMware-Horizon-7/7.5/horizon-security/GUID-94DAC7B8-70A3-4A91-8E70-2B2591B82866.html)

After you’ve set the locked.properties file, you’ll need to reboot the server for the settings to take effect. And after a reboot you’re Chrome errors are gone.

Configuring Google Chrome on a Terminal Server

In this post, which is a follow-up to this post, http://www.peppercrew.nl/how-to-install-google-chrome-on-a-terminal-server/, I will describe how you can configure Google Chrome on a Terminal Server.

After installing Google Chrome on a Terminal Server you want to configure Google Chrome with group policy’s. I used the policy from this site: The Chromium Projects.

In this policy you want to configure a path where the user data and browser cache are stored. By default the Google Chrome user data is stored under the folder Local Settings, the part of the user profile that does not roam at logoff. If you don’t enter a different path here the user changes in Google Chrome are not saved at logoff. At first I entered the path to the user terminal server home directory (\\server\TSProfiles\%username%\Chrome\User Data).

Read more