Friday, December 10, 2021

VMware UAG deployment and thumbprint detection issue in front of the firewall



 In isolated network structures that you are forced to secure incoming connections from outside the network, it’s absolutely necessary to deploy the VMware Unified Access Gateway (UAG) for securing the VDI environment include of a limited type of access and also hardening the internal Horizon Connection Servers (CS). In most scenarios, the UAG server(s) will be deployed in the DMZ boundary (subnet / VLAN) in the standalone form or load-balanced structure, so if there is a firewall between these network boundaries, probably restrict the communications between them. (CS & UAG servers)
 UAG as the heir of Security Server and Access Point is based on Photos OS VMware’s built-in Linux distribution OS and can act as the Edge service for VMware Workspace ONE and Horizon suite. It also supports the Java KeyStore (JKS) certificate format that it’s recommended you learn how to work with Linux built-in SSL tools like OpenSSL and KeyTool, Because in the UAG deployment, in the first step of configuration, you should set the Horizon Connection Server’s URL address and thumbprint, then the UAG should validate the CS certificate. There are two methods for this operation:

  1. Set the SHA1 thumbprint manually for the deployed CS, no different it's a self-signed certificate, or even generated by an internal CA service. 
  2. Add the CA certification path (root & subordinate) for an external valid certificate if it doesn't exist to validate the announced certificate by the CS.

 

 In some experiences, I saw the configured firewall policy includes SSL inspection may prevent directly secured channel establishment, even if the firewall trusts the corresponding SSL certificate. It means the firewall changes the SSL connection between the CS and UAG, in the way that the firewall acts as the middle of communication and secures two sides of the channel: UAG to FW and, CS to FW and also, their reverse-path in the firewall rules.

 I mentioned before, we can import the trusted certificate used by Horizon CS (that has VDM as its friendly name too) to the UAG Java KeyStore but still, you need to consider the firewall intervention between SSL communication, especially if you used hardware appliance devices, like Sophos, Juniper, Fortinet, PaloAlto. You can convert the certificate (openssl) and import its root CA to the Java KeyStore (keytool) and also, explore inside the cacerts file (UAG Java KeyStore) in the following path:

# vi /lib/jvm/jre/lib/security/cacerts 

Because if you want to import the SSL anyway, you will still encounter some other issues in the road of certificate validation in UAG. Thus I will explain them later in another post. When I understood my firewall is like an intermediate between the CS and UAG SSL communication, therefore although I set the SHA1 thumbprint, UAG couldn't connect to the CS successfully. So as the next step, I tried the curl command like this:

# curl -v https://horizon-cs.company.com:443



And after reviewing the generated result with more precision, I got the firewall accepts the certificate but change the issuer’s information and replaces it with the firewall’s default issued certificate. Now I was ensuring that's the primary issue. So, I ran the following command to find the X509 format of the responding certificate’s thumbprint:

# echo | openssl s_client -connect horizon-cs.company.com:443 |& openssl x509 -fingerprint -noout


Then I find out if I replace the Horizon certificate thumbprint with the required result, then the secured connection will be established successfully.

 

Congratulation Now the UAG is connected to the CS.

No comments:

Post a Comment

I will start a new journey soon ...