Posts

Horizon View BLAST error in Chrome browser

We did an update of our Horizon View environment from version 7.4 to version 7.5.1. After the update we noticed something strange. Everything was working except for the BLAST client on the Chrome browser. Other browsers didn’t give errors and worked, but Chrome threw the error: “Failed to connect to the Connection Server”.

After some searching in the VMware knowledge base, I found that the error has something to do with security. The View Security document talks about Cross-Origin Resource Sharing (CORS) as the feature that handles the policies in regard to HTTP request. (https://docs.vmware.com/en/VMware-Horizon-7/7.5/horizon-security.pdf). This means that when an URL is used that is not the same as the listening domain, or when multiple domains are used, the policies can block access because the actions are considered not secure (like there could be a man in the middle attack).

In our case we have two URL’s to the Connection Servers. The first is a loadbalanced URL (http://ViewDesktop.LocalDomain) and the second is a direct URL to the Connection Server (http://HostName.LocalDomain). We noticed that the direct URL didn’t gave problems, but de loadbalanced URL did. So it seems clear that the problem must have something to do with CORS and in specific with the Chrome browser.

When we read a little bit further in the security documentation we’ll see an explanation for our Chrome problem: “Chrome extension clients set their initial Origin to their own identity. To allow connections to succeed, register the extension by adding a chromeExtension entry to the locked.properties file”.

Now, all CORS related settings are set in the file called locked.properties. You can find the file on your View Connection and Security Servers in the folder C:\Program Files\VMware\VMware View\Server\sslgateway\conf\ and if it doesn’t yet exist, you can simply create it.

So now that we know the problem in the Chrome browser seems to be coming from a security feature, how do we fix the problem? There are multiple solutions to solve this problem, which all include the locked.properties file.

  1. Disable CORS altogether. Not the most elegant solution.
  2. Set the checkOrigin property to “false”. This is probably not the option that you want. Though it works, it disables the security check. (https://kb.vmware.com/s/article/2144768)
  3. Set the balancedHost property to the URL on which you connect. This is a good option as you specify the loadbalanced address that is used by View. (https://docs.vmware.com/en/VMware-Horizon-7/7.4/horizon-installation/GUID-BFF2E726-A5EB-4105-A0EA-F3D718C5880E.html#GUID-BFF2E726-A5EB-4105-A0EA-F3D718C5880E)
  4. Set the property “chromeExtension.1=bpifadopbphhpkkcfohecfadckmpjmjd” in the locked.properties file. This is the best option for us as it is tailored to the issue that we are facing. (https://docs.vmware.com/en/VMware-Horizon-7/7.5/horizon-security/GUID-94DAC7B8-70A3-4A91-8E70-2B2591B82866.html)

After you’ve set the locked.properties file, you’ll need to reboot the server for the settings to take effect. And after a reboot you’re Chrome errors are gone.

Installing WES7 with VMware view on a T5740 2gb

Recently I was asked to build a wes7 (Windows Embedded Standard 7) image with VMware view client for a HP T5740 2GB model. This request did bring some interesting problems to the table like:

  • How to get WES7 on a 2GB flash drive
  • How to import the correct drivers to the image during install
  • How to install VMware view client
  • How to enable EWF (Enhanced Write Filter) on the T5740

But first things first lets install WES7 on a 2gb flash drive.

Read more