VMware released the UAG (Unified Access Gateway) with a fix for the LOG4J vulnerability
The UAG version is 2111.1
Horizon
Log4j, Horizon Connection Server Workaround
We continue to look at how to mitigate the log4j vulnerability, in this post we look at horizon connection servers in detail.
As indicated by the VMware KB
only the connection servers where the HTML Access Portal is active are vulnerable. But all versions are subject to vulnerability.
I recommend applying the workaround even if the HTML Access Portal is not active.
Again as indicated in the previously cited KB we have two possibilities:
- Change the following registry key
1. Edit this registry value:
HKLM\Software\VMware, Inc.\VMware VDM\plugins\wsnm\TomcatService\Params\JVMOptions
2. Append a single space character followed by this text: -Dlog4j2.formatMsgNoLookups=true
3. Exit the registry editor and restart the Connection Server service or reboot the machine
- Run the following script as administrator.
@echo off
setlocal
goto start
__________________________________________________
CVE-2021-44228 - Prevent log4j parameter expansion
Horizon Connection Server 7.x, 8.x
VMware, Inc. 2021
__________________________________________________
:start
set sigpath=HKLM\Software\VMware, Inc.\VMware VDM\plugins\wsnm\TomcatService
for /f "delims=" %%g in ('reg.exe query "%sigpath%" /v Filename') do set sigval=%%g
if "%sigval%"=="" goto notneeded
set killflag=-Dlog4j2.formatMsgNoLookups=true
set svcpath=HKLM\Software\VMware, Inc.\VMware VDM\plugins\wsnm\TomcatService\Params
for /f "tokens=2*" %%v in ('reg.exe query "%svcpath%" /v JVMOptions') do set svcval=%%w
echo %svcval%|find " %killflag%" >nul
if not errorlevel 1 goto notneeded
reg add "%svcpath%" /v JVMOptions /d "%svcval% %killflag%" /f
net stop wsbroker /y && net start wsbroker
echo Completed.
goto :EOF
:notneeded
echo Not required.
goto :EOF
I will proceed with the script.
I create a fix-log4j.bat file in the c: \ temp folder of my connection server and copy the script text to it.
I launch the command from a PowerShell with administrator rights:
I reboot the server
I verify that the workaround is applied by relaunching the bat file.
Obviously, I have to do this on all the Horizon Connection Servers present
in the Horizon infrastructure
VMware Horizon and Adobe Flash
I found myself in the need to carry out some checks on a horizon infrastructure that I could not access the administration console due to the now-famous problems of Adobe FLASH So I found it convenient to use the powercli, I report some scripts used. Running the scripts requires installing the necessary components which I have already discussed in a previous post of mine.
Script to show last user login to VMware Horizon in the last month
$connectionServer=Connect-HVServer -Server $hvserver -User $hvuser -Password $hvPassword -Domain $hvDomain
$Services1=$connectionServer.ExtensionData
$eventdb=Connect-HVEvent -DbPassword $eventDbPassword
$events=Get-HVEvent -HvDbServer $eventdb -TimePeriod month -SeverityFilter AUDIT_SUCCESS
$events.events | Export-Csv C:\temp\VCSMonthLogin.csv
Script to display Horizon Session
Connect-HvServer -server $hvserver -User $hvuser -Password $hvPassword -Domain $hvDomain
$query = New-Object “Vmware.Hv.QueryDefinition”
$query.queryEntityType = ‘SessionLocalSummaryView’
$qSrv = New-Object “Vmware.Hv.QueryServiceService”
$qSRv.QueryService_Query($global:DefaultHVServers[0].ExtensionData,$query) |
Select -ExpandProperty Results |
Select -ExpandProperty NamesData |
Select-Object -Property UserName,DesktopType,DesktopName,MachineOrRDSServerDNS
Script to show user and assigned Computer
Connect-HvServer -server $hvserver -User $hvuser -Password $hvPassword -Domain $hvDomain
$AllVDIInfo = get-hvmachinesummary -PoolName $PoolName
$AllVDIInfo | Format-Table -AutoSize
a special thanks :
VMware Horizon 2106
VMware a few days ago released a new Horizon Version.
The new build 2106 (8.3) brings with it some very interesting features from some relating to the security of intellectual property to those related to the Teams collaboration tool, here is a list of those that I consider the most interesting:
- Implementation of GPO for blocking the ability to take screenshots of VDI sessions from Windows and MAC Clients
- Possibility in the instant clone to use the Microsoft Sysprep (this function slows down the deployment of an IC by performing a series of reboots)
- Functionality for applications of run indefinitely
- Possibility to use TrueSSO SAML authentication for non-Trust domains
- Horizon Agent has support for Windows Server 2022 (Currently in Preview)
- The Horizon Client for Linux has the optimization for Teams (as in some versions the functionality for the Windows client was present)
- Cloud Burst support to extend your on-prem workload to the Cloud in case of a high load.
More details in this video
Horizon Web Client Customization
In the past, I’ve talked about how to customize the Horizon Web Client login page. Normally when you log in you are asked whether to continue with the Web Client or download the Windows client, if required we can omit this page.
To do this you need to change the following value:
enable.download=true
setting it as false
this parameter is found in the file portal-links-html-access.properties in the connection server folder C:\ProgramData\VMware\VDM\portal, if you have a connection server cluster you have to do the switch on all servers
Toc Toc … Horizon Upgrade…
Have you upgraded to at least horizon 7.13?
From March 22nd (this is tomorrow as I am writing to you) versions prior to 7.13 will no longer be in support
WLS Ubuntu 20.04 – Powercli On Linux and use it for Horizon
Well I want to use my WSL Ubuntu 20.04 to use powercli command to manage old Horizon Version (Flash ko)
- Start to install all updates on my Ubuntu 20.04
sudo apt-get update
sudo apt-get upgrade
- Configure source for downlad ed install powercli
sudo apt-get install curl
curl https://packages.microsoft.com/keys/microsoft.asc | sudo apt-key add
sudo curl -o /etc/apt/sources.list.d/microsoft.list https://packages.microsoft.com/config/ubuntu/20.04/prod.list
sudo apt-get update
- Install powershell
sudo apt-get install powershell
sudo pwsh
Set-PowerCLIConfiguration -InvalidCertificateAction:Ignore
- Install PowerCli Module
Install-Module -Name VMware.PowerCLI
- Install the horizon module
Import-Module -Name VMware.VimAutomation.HorizonView
- Download additional module
For download
Run Example Horizon PowerCLI Scripts (vmware.com)
- Import Horizon Module
Create Horizon Desktop Pool using PowerCLI – Roderik de Block
PowerCLI-Example-Scripts/New-HVPool.md at master · vmware/PowerCLI-Example-Scripts · GitHub
Azure MFA, UAG, Horizon and TRUE SSO – Step 5
Import XML on Horizon Connection Servers and configure it
Now we import the XML content in to all Horizon Connection Server, for all server on
Select Edit and after authentication
Select in delegation of authentication ….. the value ALLOWED open
and a new authenticator
Static
Name type Azure
And copy the content of XML file on the SAML Metadata
Enable truesso for Horizon Authentication method
On a Connection server enable the TRUESSO for a Authentication Method
vdmUtil –authAs admin-role-user –authDomain domain-name –authPassword admin-user-password –truesso –authenticator –edit –name authenticator-fqdn –truessoMode {ENABLED|ALWAYS}
vdmUtil –authAs administrator –authDomain pollaio –authPassword 121212121 –truesso –authenticator –edit –name azure –truessoMode ENABLED
And now the configuration is done.
Thank You
Fabio Storni fabio1975@gmail.com
REFERENCE
Azure MFA, UAG, Horizon and TRUE SSO – Step 4
Configure a enterprise application on Azure AD, configure it and export XML
Insert:
Identifier -> https://<public-FQDN-UAG>/portal
Reply URL -> https://<public-FQDN-UAG>/portal/samlsso
Sign on URL -> https://<public-FQDN-UAG>/portal/samlsso
Download the XML
Assign Users or Groups permission to Enterprise application
Import XML on UAG and configure it
Import Identity Provider Metadata, select the file XML downloaded from the Enterprise Application data
Select the identity provider
Select More Option
And select SAML e the correct Identity provider (with SAML+PASSTROUGHT the identity token will not passed to horizon Server and it will required a new autentication)
Azure MFA, UAG, Horizon and TRUE SSO – Step 3
Export Horizon Enrollment Certificate from Horizon installation and install it in to Enrollment Horizon Server
Connect to Horizon Server and export the Horizon View Certificate (The certificate with vdm.ec friendly name)
Now we import the enrollment certificate in to Horizon Enrollment server, we need import in to Certificate Computer store and add the friwndly name vdm.ec
Configure TrueSSO on Horizon Connection Server
Configure Enrollement server
vdmUtil –authAs admin-role-user –authDomain domain-name –authPassword admin-user-password –truesso –environment –add –enrollmentServer enroll-server-fqdn
vdmUtil –authAs administrator –authDomain pollaio –authPassword qwerty1234567890! –truesso –environment –add –enrollmentServer Enroll.pollaio.lan
Verifica le informazioni
vdmUtil –authAs admin-role-user –authDomain domain-name –authPassword admin-user-password –truesso –environment –list –enrollmentServer enroll-server-fqdn –domain domain-fqdn
vdmUtil –authAs administrator –authDomain pollaio –authPassword qwerty1234567890! –truesso –environment –list –enrollmentServer Enroll.pollaio.lan –domain pollaio.lan
Creare la connessione per il true sso
vdmUtil –authAs admin-role-user –authDomain domain-name –authPassword admin-user-password –truesso –create –connector –domain domain-fqdn –template TrueSSO-template-name –primaryEnrollmentServer enroll-server-fqdn –certificateServer ca-common-name –mode enabled
vdmUtil –authAs administrator –authDomain pollaio –authPassword qwerty1234567890! –truesso –create –connector –domain pollaio.lan –template TRUESSOHORIZON –primaryEnrollmentServer enroll.pollaio.lan –certificateServer pollaio-NPSSRV-CA –mode enabled
Verify from the Horizon Connection server dashboard thee TrueSSO status, if it is all green the trueSSO is Ready
