We did an update of our Horizon View environment from version 7.4 to version 7.5.1. After the update we noticed something strange. Everything was working except for the BLAST client on the Chrome browser. Other browsers didn’t give errors and worked, but Chrome threw the error: “Failed to connect to the Connection Server”.
After some searching in the VMware knowledge base, I found that the error has something to do with security. The View Security document talks about Cross-Origin Resource Sharing (CORS) as the feature that handles the policies in regard to HTTP request. (https://docs.vmware.com/en/VMware-Horizon-7/7.5/horizon-security.pdf). This means that when an URL is used that is not the same as the listening domain, or when multiple domains are used, the policies can block access because the actions are considered not secure (like there could be a man in the middle attack).
In our case we have
two URL’s to the Connection Servers. The first is a loadbalanced URL (
http://ViewDesktop.LocalDomain) and the second is a direct URL to the
Connection Server (
http://HostName.LocalDomain). We noticed that the direct URL
didn’t gave problems, but de loadbalanced URL did. So it seems clear that the
problem must have something to do with CORS and in specific with the Chrome
When we read a little bit further in the security documentation we’ll see an explanation for our Chrome problem: “Chrome extension clients set their initial Origin to their own identity. To allow connections to succeed, register the extension by adding a chromeExtension entry to the locked.properties file”.
Now, all CORS related
settings are set in the file called locked.properties. You can find the file on
your View Connection and Security Servers in the folder
View\Server\sslgateway\conf\ and if it doesn’t yet exist, you can simply create it.
So now that we know the problem in the Chrome browser seems to be coming from a security feature, how do we fix the problem? There are multiple solutions to solve this problem, which all include the locked.properties file.
- Disable CORS altogether. Not the most elegant solution.
- Set the checkOrigin property to “false”. This is probably not the option that you want. Though it works, it disables the security check. (https://kb.vmware.com/s/article/2144768)
- Set the balancedHost property to the URL on which you connect. This is a good option as you specify the loadbalanced address that is used by View. (https://docs.vmware.com/en/VMware-Horizon-7/7.4/horizon-installation/GUID-BFF2E726-A5EB-4105-A0EA-F3D718C5880E.html#GUID-BFF2E726-A5EB-4105-A0EA-F3D718C5880E)
- Set the property “chromeExtension.1=bpifadopbphhpkkcfohecfadckmpjmjd” in the locked.properties file. This is the best option for us as it is tailored to the issue that we are facing. (https://docs.vmware.com/en/VMware-Horizon-7/7.5/horizon-security/GUID-94DAC7B8-70A3-4A91-8E70-2B2591B82866.html)
After you’ve set the locked.properties file, you’ll need to reboot the server for the settings to take effect. And after a reboot you’re Chrome errors are gone.