Log4j, Horizon Connection Server Workaround

We continue to look at how to mitigate the log4j vulnerability, in this post we look at horizon connection servers in detail.
As indicated by the VMware KB


only the connection servers where the HTML Access Portal is active are vulnerable. But all versions are subject to vulnerability.
I recommend applying the workaround even if the HTML Access Portal is not active.
Again as indicated in the previously cited KB we have two possibilities:

  • Change the following registry key

1. Edit this registry value:
HKLM\Software\VMware, Inc.\VMware VDM\plugins\wsnm\TomcatService\Params\JVMOptions
2. Append a single space character followed by this text: -Dlog4j2.formatMsgNoLookups=true
3. Exit the registry editor and restart the Connection Server service or reboot the machine

  • Run the following script as administrator.
@echo off
setlocal
goto start
__________________________________________________

CVE-2021-44228 - Prevent log4j parameter expansion
Horizon Connection Server 7.x, 8.x
VMware, Inc. 2021
__________________________________________________

:start
set sigpath=HKLM\Software\VMware, Inc.\VMware VDM\plugins\wsnm\TomcatService
for /f "delims=" %%g in ('reg.exe query "%sigpath%" /v Filename') do set sigval=%%g
if "%sigval%"=="" goto notneeded
set killflag=-Dlog4j2.formatMsgNoLookups=true
set svcpath=HKLM\Software\VMware, Inc.\VMware VDM\plugins\wsnm\TomcatService\Params
for /f "tokens=2*" %%v in ('reg.exe query "%svcpath%" /v JVMOptions') do set svcval=%%w
echo %svcval%|find " %killflag%" >nul
if not errorlevel 1 goto notneeded
reg add "%svcpath%" /v JVMOptions /d "%svcval% %killflag%" /f
net stop wsbroker /y && net start wsbroker
echo Completed.
goto :EOF

:notneeded
echo Not required.
goto :EOF

I will proceed with the script.
I create a fix-log4j.bat file in the c: \ temp folder of my connection server and copy the script text to it.


I launch the command from a PowerShell with administrator rights:

I reboot the server

I verify that the workaround is applied by relaunching the bat file.

Obviously, I have to do this on all the Horizon Connection Servers present
in the Horizon infrastructure

Log4j, Horizon Connection Server Workaround

VMware Horizon and Adobe Flash

I found myself in the need to carry out some checks on a horizon infrastructure that I could not access the administration console due to the now-famous problems of Adobe FLASH So I found it convenient to use the powercli, I report some scripts used. Running the scripts requires installing the necessary components which I have already discussed in a previous post of mine.

Script to show last user login to VMware Horizon in the last month

$connectionServer=Connect-HVServer -Server $hvserver -User $hvuser -Password $hvPassword -Domain $hvDomain

$Services1=$connectionServer.ExtensionData

$eventdb=Connect-HVEvent -DbPassword $eventDbPassword

$events=Get-HVEvent -HvDbServer $eventdb -TimePeriod month -SeverityFilter AUDIT_SUCCESS

 $events.events | Export-Csv C:\temp\VCSMonthLogin.csv

Script to display Horizon Session

Connect-HvServer -server $hvserver -User $hvuser -Password $hvPassword -Domain $hvDomain

$query = New-Object “Vmware.Hv.QueryDefinition”

$query.queryEntityType = ‘SessionLocalSummaryView’

$qSrv = New-Object “Vmware.Hv.QueryServiceService”

$qSRv.QueryService_Query($global:DefaultHVServers[0].ExtensionData,$query) |

Select -ExpandProperty Results |

Select -ExpandProperty NamesData |

Select-Object -Property UserName,DesktopType,DesktopName,MachineOrRDSServerDNS

Script to show user and assigned Computer

Connect-HvServer -server $hvserver -User $hvuser -Password $hvPassword -Domain $hvDomain

$AllVDIInfo = get-hvmachinesummary -PoolName $PoolName

$AllVDIInfo | Format-Table -AutoSize

a special thanks :

Horizon View API – The SLOG – SimonLong/Blog

VMware Horizon and Adobe Flash

VMware Horizon 2106

VMware a few days ago released a new Horizon Version.
The new build 2106 (8.3) brings with it some very interesting features from some relating to the security of intellectual property to those related to the Teams collaboration tool, here is a list of those that I consider the most interesting:

  • Implementation of GPO for blocking the ability to take screenshots of VDI sessions from Windows and MAC Clients
  • Possibility in the instant clone to use the Microsoft Sysprep (this function slows down the deployment of an IC by performing a series of reboots)
  • Functionality for applications of run indefinitely
  • Possibility to use TrueSSO SAML authentication for non-Trust domains
  • Horizon Agent has support for Windows Server 2022 (Currently in Preview)
  • The Horizon Client for Linux has the optimization for Teams (as in some versions the functionality for the Windows client was present)
  • Cloud Burst support to extend your on-prem workload to the Cloud in case of a high load.

More details in this video

VMware Horizon 8 (2106) What’s New – YouTube

VMware Horizon 2106

Horizon Web Client Customization

In the past, I’ve talked about how to customize the Horizon Web Client login page. Normally when you log in you are asked whether to continue with the Web Client or download the Windows client, if required we can omit this page.

To do this you need to change the following value:

enable.download=true

setting it as false

this parameter is found in the file portal-links-html-access.properties in the connection server folder C:\ProgramData\VMware\VDM\portal, if you have a connection server cluster you have to do the switch on all servers

Horizon Web Client Customization

WLS Ubuntu 20.04 – Powercli On Linux and use it for Horizon

Well I want to use my WSL Ubuntu 20.04 to use powercli command to manage old Horizon Version (Flash ko)

  • Start to install all updates on my Ubuntu 20.04

sudo apt-get update

sudo apt-get upgrade

  • Configure source for downlad ed install powercli 

sudo apt-get install curl

 curl https://packages.microsoft.com/keys/microsoft.asc | sudo apt-key add

sudo curl -o /etc/apt/sources.list.d/microsoft.list https://packages.microsoft.com/config/ubuntu/20.04/prod.list

sudo apt-get update

  • Install powershell 

sudo apt-get install powershell

sudo pwsh

Set-PowerCLIConfiguration -InvalidCertificateAction:Ignore

  • Install PowerCli Module

Install-Module -Name VMware.PowerCLI

  • Install the horizon module

Import-Module -Name VMware.VimAutomation.HorizonView

  • Download additional module

For download

Run Example Horizon PowerCLI Scripts (vmware.com)

  • Import Horizon Module

Create Horizon Desktop Pool using PowerCLI – Roderik de Block

PowerCLI-Example-Scripts/New-HVPool.md at master · vmware/PowerCLI-Example-Scripts · GitHub

WLS Ubuntu 20.04 – Powercli On Linux and use it for Horizon

Azure MFA, UAG, Horizon and TRUE SSO – Step 5

Import XML on Horizon Connection Servers and configure it

Now we import the XML content in to all Horizon Connection Server, for all server on

Select Edit and after authentication

Select in delegation of authentication ….. the value ALLOWED open

and a new authenticator

Static

Name type Azure

And copy the content of XML file  on the SAML Metadata

Enable truesso for Horizon Authentication method

On a Connection server enable the TRUESSO for a Authentication Method

vdmUtil –authAs admin-role-user –authDomain domain-name –authPassword admin-user-password –truesso –authenticator –edit –name authenticator-fqdn –truessoMode {ENABLED|ALWAYS}

vdmUtil –authAs administrator –authDomain pollaio –authPassword 121212121 –truesso –authenticator –edit –name azure  –truessoMode ENABLED

And now the configuration is done.

Thank You

Fabio Storni fabio1975@gmail.com

REFERENCE

Tutorial: Azure Active Directory single sign-on (SSO) integration with VMware Horizon – Unified Access Gateway | Microsoft Docs

Setting Up True SSO (vmware.com)

Azure MFA, UAG, Horizon and TRUE SSO – Step 5

Azure MFA, UAG, Horizon and TRUE SSO – Step 4

Configure a enterprise application on Azure AD, configure it and export XML

Insert:

 Identifier  -> https://<public-FQDN-UAG>/portal

Reply URL -> https://<public-FQDN-UAG>/portal/samlsso

Sign on URL -> https://<public-FQDN-UAG>/portal/samlsso

Download the  XML

Assign Users or Groups permission to Enterprise application

Import XML on UAG and configure it

Import Identity Provider Metadata, select the file XML downloaded from the Enterprise Application data

Select the identity provider

 Select More Option

And select SAML e the correct Identity provider (with SAML+PASSTROUGHT the identity token  will not passed to horizon Server and it will required a new autentication)

Azure MFA, UAG, Horizon and TRUE SSO – Step 4