This one was a head scratcher for a few minutes, and I admit I had a little internal panic thinking something had broken my Pod.
When accessing the admin page after putting in a load balancer, I was presented with a blue background and a blank white box. No logon options, no dashboard, no hope!
I tried all the Connection Brokers to no avail until I tried the https://localhost/admin option locally on the Connection Broker.
After a little digging it appears there is a new security option in Horizon 7 that is now enabled by default – RFC 6454 Origin Checking.
This prevents cross site forging and “rejects the request if the URL is not https://localhost/admin or https://URL_used_in_Secure_Tunnel_URL_Field/admin.”
Basically the fix options are:
- You can correct the URL in the Secure Tunnel settings and use that address from now on.
- If you want to disable the feature and are connecting direct to connection brokers, add “checkOrigin=false” to the locked.properties file in C:\Program Files\VMware\VMware View\Server\sslgateway\conf.
- Do not be surprised if this file is not there, you may have to create it. Make sure you use notepad or similar, Word will add unnecessary characters.
- If it’s a load balancer address you can add “balancedHost=load-balancer-name” to the locked.properties file.
This will need doing on every Connection Broker in the Pod, and the services restarting.
For completeness I have added a couple of references from VMware which cover the issue from a documentation and KB article point of view.
As always, check what the security and other implications are for your environment and go with the load balancer statement (if this fits) rather than disabling the feature as this feature is there to protect the environment.
Leave a Reply