Ask Aresh

If you are using F5 LTM in the DMZ to load balance (LB) the VMware Unified Access Gateway (UAG) appliance, it is very important to use the iAPP or the F5 Deployment guide to set the Persistence Profile options properly or/else you might end up with issues. Background: The F5 LTM VIP for UAG Appliance was created manually without using the f5_vmware_view   iApp and the Persistence Profile settings were manually configured. (I highly recommend to use the iApp and go through the F5 deployment guides) Issue1 : The BLAST connection fails in the backend. The original SessionID request was going to UAG1 and due to the LB in the front the next request for the same SessionID was going to UAG2. Log Snippet UAG1: [2017-XX-XX 12:50:33.428] [INFO]    2289 [absg-master] - Added route 810DF5FF-*** to target 10.x.x.x|22443 Log Snippet UAG2: [2017-XX-XX 12:50:35.589] [ERROR]    2723 [absg-worker] - Failed to resolve proxying route: 810DF5FF-*** As noted above the ...

If you have deployed Horizon TrueSSO feature within your environment. Then the most obvious question is how do you troubleshoot during issues? Let me give you some tips and tricks around troubleshooting TrueSSO aka Enrollment Server feature: If you have two teams split one team managing the Active Directory/Certificate Services and other team managing Horizon infrastructure. Then following are the tips for the Horizon Admins. Install the Microsoft RSAT tools on your domain joined machine or Enrollment Servers and install the AD Certificate Services Tools . This will provide you the ability to see the following snap-ins in read-only mode: Enterprise PKI – Allows you to check the CDP and CRL and Issuing CA Status Certificate Templates – TrueSSO, Enrollment Agent (Computer) Templates etc. Make sure to Enable the Trace logging on the Enrollment Servers and Horizon Agent (within master image) during troubleshooting. It will provide additional details on the error message [HKEY_LOCAL_MACH...

Recently got an opportunity to deploy the VMware Horizon TrueSSO within our environment. TrueSSO provides user with the True SSO (single sign-on) feature, after users log in to VMware Identity Manager (WorkSpaceOne) using a RSA SecurID authentication(optional), users are not required to enter Active Directory credentials in order to use virtual desktop or hosted application. Let me share my top 10 lessons learnt from the deployment: In the production deployment recommend to size the Enrollment Server Windows VM as same as the Connection Server(ES role is not very resource intensive) CPU - 4 vCPU Memory – 10 GB RAM HDD – 80 GB Make sure the “Group Scope” is selected as “ Universal ” for the  Active Directory Group in which the Enrollment Server - Computer Account is added On the newly created TrueSSO template (SmartCard Login and Client Authentication) make sure under the Security Tab “Authenticated Users” group has Read permissions and The Active Directory group for the Enrollment ...