Saturday, 18 May 2024

VMWare Horizon Client on HP ThinPro Thin Client - Allow connection via an SSL Proxy

Introduction

I wanted to set the security for the Horizon Client, on my HP ThinPro Thin client device, so that it would never connect to untrusted servers.  

Certificates were correctly installed on both the thin client and the Horizon Connection server.  

The demand was that the Horizon client must refuse insecure connections.  

This is the safest configuration and in this particular setup I was able to get this working - however I did have to ensure that the Allow Connection Via an SSL Proxy setting was enabled as a preference on the Horizon connecting client.



Without this particular setting enabled, I would receive the following error whenever I tried to connect to the Horizon connection broker: The tunnel server presented a certificate that doesn't match the expected certificate.


The Problem

Having an acceptable workaround was great but deploying this workaround, in an automated fashion, was a challenge.  Typically with these sort of settings I could:

1) Manually enable the setting on the Thin Client itself.

2) Use the HPDM console to capture a profile of the HP ThinPro client.

3) Deploy the captured profile to all HP ThinPro clients using the HPDM console.

This did not work - the setting did not get captured as part of the HPDM profile capture operation.

The Solution

I could not find any VMWare documentation in relation to the HP ThinPro Horizon client, to assist me with this task.  I did however find a VMWare article about the Linux Horizon client.

Configuring the Certificate Checking Mode for End Users (vmware.com)

Now the HP ThinPro operating system is Linux based, and so I thought it might work - and it did.  All I had to do was create a HPDM deployment task to deploy the solution.  Here is how I did it.

1) On the HPDM server create a file, using notepad, called view-mandatory-config.  Ensure the file has no extension such as .txt

2) Populate this file with the following two entries and save the file.

view.allowAllowSslProxy="True"

view.allowSslProxy="True"

3) After saving the file, open the HP Device Manager console.

4) Click on Templates & Rules and then click on Add a Rule.

5) Provide a rule name - in this case I type in Deploy view-mandatory-config.  Click on Next.



6) On the Target page click on Next.

7) On the Constraints page click on Next.

8) On the When page specify when you would like your file deployed and click on Next.

9) On the Action page double click on _File and Registry.  The Template editor appears.

10) Click on Add and then click on Deploy Files and then on OK.



11) The Deploy Files window appears.  Click on Add from local and select your view-mandatory-config file.

12) Under the Path On Device column type in /etc/vmware/ and hit Enter and click on OK and OK again.



13) Back at the Action page click on Next.

14) On the Task Parameters window click on Next.

15) At the summary window click on Run Now if desired and then click on Finish.

16) The Package Description Editor window appears.  Click on Generate.


17) The new rule appears under Scheduled Rules.  Again you can right click on the rule, if desired, and select Run Now.


Conclusion

When this rule has run on the HP Thin Pro client,  the Allow connection via an SSL proxy option will be selected.  As long as you have the Never Connect to Untrusted option selected, you can then be sure that you have a secured connection to your Horizon Connection Broker.  I hope you have enjoyed this article.