Custom thumbprints allow the use of separate certificates for Blast TCP and VMware Tunnel connections since VMware Unified Access Gateway 3.4, the configuration can be done in the UAG administrative console or through PowerShell INI, according to https://techzone.vmware.com/blog/whats-new-vmware-unified-access-gateway-34.
Before this improvement, Horizon native client would encounter certificate thumbprint mismatch issue if you are using Nginx to reverse proxy to an Unified Access Gateway for Horizon View.
Here’s an example:
Reverse Proxy: nginx.bj.st
UAG: 10.117.43.230 gateway-04.uag.com (and the backend interface is in 172.16/16 subnet which connect to Horizon Connection Server)
Horizon Connection Server: 172.16.1.104 rp-01.uag.com
Disable Tunnel and BSG on Horizon Connection Server.
Enable Tunnel and BSG on UAG, external url using nginx.bj.st
Nginx configuration:
Create a configuration file for Nginx as /etc/nginx/endtoendencryption.conf:
stream {
upstream UAGserverGroup {
# Please make sure the correct IP of the UAG is entered here
server 10.117.43.230:443;
}
upstream ABSGservergroup {
# Please make sure the correct IP of the UAG is entered here
server 10.117.43.230:8443;
}
server {
listen 443 ssl;
# This is the internet to nginx traffic SSL termination related data
ssl_certificate /etc/nginx/keys/nginx.crt;
ssl_certificate_key /etc/nginx/keys/nginx.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:1m; # a 1mb cache can hold about 4000 sessions,
ssl_session_timeout 24h;
#keepalive_timeout 300; # up from 75 secs default
# This is nginx traffic new SSL session between nginx and backend server
proxy_ssl on;
proxy_pass UAGservergroup;
}
server {
listen 8443 ssl;
# This is the internet to nginx traffic SSL termination related data
ssl_certificate /etc/nginx/keys/nginx.crt;
ssl_certificate_key /etc/nginx/keys/nginx.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:1m; # a 1mb cache can hold about 4000 sessions,
ssl_session_timeout 24h;
#keepalive_timeout 300; # up from 75 secs default
# This is nginx traffic new SSL session between nginx and backend server
proxy_ssl on;
proxy_pass ABSGservergroup;
}
}
Notice that both 443 and 8443 have been configured, ssl_certificate and key also located.
Edit /etc/nginx/nginx.conf, add “include /etc/nginx/endtoendencryption.conf;” to the end of http block.
http {
...
...
}
include /etc/nginx/endtoendencryption.conf;
Try “nginx -t” to validate the configuration and “service nginx reload” to reload it.