It often happens to forget the existence of UAG (Unified Access Gateway) in a VMware Horizon infrastructure and consequently also of root and admin passwords.
Let us remember that the UAG is the object of a Horizon infrastructure, exposed to the outside and therefore more subject to informed attacks. So, it is good and right to keep it constantly updated.
So if we forgot the root and admin passwords of our virtual appliance VMWare has the necessary documentation to reset these accounts, which you can find in these links:
Lately, it happened to me on a customer that even if the root user’s password had been reset, he still did not log in, the error was as follows:
The cause of the problem is the deactivation of the root user shell, evidence of this situation is in the /etc/passwd file of the virtual appliance which is thus configured for the root user
(The following commands can be executed by accessing the virtual appliance console in the manner indicated for changing the root user’s password and are available at this link)
cat /etc/passwd
To fix the situation, simply run the following command:
At this point, we restart with the command reboot -f and we will be enabled to access.
VMware Horizon infrastructures often have the Unified Access Gateway (UAG) component to enable a secure connection from outside your corporate network to VDI.
This positioning makes the UAG subject to frequent updates, today we will see how to update it.
Download the ISO file of the version we want to update from the VMware Customer Site:
Check compatibility with your Horizon infrastructure:
Download the INI file containing the current UAG configuration
Access the Unified Access Gateway interface
HTTPS://<fqdnUAG>:9443
Using the credentials of the admin user
Once logged in, download the .ini file
Retrieving the information needed to complete the configuration file:
Certificate for public access and password
Certificate for the admin center and its password
SAML component XML if integration with AZURE MFA
Information on where to deploy (vCenter, Cluster, virtual network, datastore ) the Virtual Appliance of the new UAG
The data indicated will serve me to fill in the fields of the downloaded ini file
I summarize the info required in this table
Sector
Field
Description
General
netInternet
PortGroup on which to certify the network card that communicates to the internet world *
General
diskmode
Thin or Thick
General
Source
Absolute path where the ISO resides
General
Target
Path of the vSphere infrastructure where we will deploy the virtual appliance
General
Ds
Datastore where the VM will be created
General
netManagementNetwork
Portgroup on which to certify the network adapter for UAG management *
General
netBackendNetwork
Portgroup on which to certify the network adapter for UAG management *
General
Name
Virtual Machine Name
General
uagName
Hostname of the UAG (normally to be left that of the UAG to be replaced)
SSLCert
pfxCerts Property
Path where the SSL Certificate generated by a public CA in password protected PFX format used to access VDI by Horizon Clients resides
SSLCertAdmin
pfxCerts Property
Path where the SSL Certificate generated by a CA (normally Microsoft and Private) used to secure and validate access to the UAG Management Interface resides
IDPExternalMetadata1
metadataXmlFile Property
XML file of the Identity Provider (In this case Azure AD) to enable Azure MFA for access
*VMware recommends at least two network adapters in two different segments for production environments
One for internet traffic (I call it the EXT-DMZ)
One for traffic to the internal LAN (I call it the INT-DMZ)
It is possible to create environments with 1 or 3 network adapters, in the first case VMware recommends only one card only for test environments, and in the second to also differentiate the management traffic that otherwise, in the two-card configuration would pass through the card that communicates with the internal LAN.
At this point we can proceed with the deployment of the virtual appliance:
The first step is Shutdown the old UAG Virtual Appliance (I suppose do you have at least two UAGs with a Load Balancer in front and at least a DNS round-robin for balancing the traffic to the Connection server)
.\uagdeploy.ps1 -iniFile UAG_Settings_VIUAG04.ini
Allow CEIP
Insert password for PFX Certificate File
Insert a new (or reuse the old) password for the Root account (for access to UAG OS) and Admin account (for access to UAG WEB admin console)
Waiting to complete the UAG Deploy (You can check the process from the vCenter task)
Now the new UAG virtual appliance is up and running!! Test it and apply the same step for all UAG virtual appliances of your VMware Horizon Infrastructure.
On December 14, 2021 the Apache Software Foundation notified the community that their initial guidance for CVE-2021-44228 workarounds was not sufficient. We believed the previous instructions in this article to be an effective mitigation for CVE-2021-44228, but in the best interest of our customers, we must assume the earlier workaround may not adequately address all attack vectors.
We need to run a script:
#!/bin/bash
# Log contents to file by prefixing timestamp. Maximum file size is 50MB
function log_to_console() {
echo "$(date +'%Y-%m-%d %T')" "$HOSTNAME" "$@"
}
log_to_console "Running script to remove JndiLookup.class from jars in Unified Access Gateway"
log_to_console "UAG Version: " $(tail -1 /opt/vmware/gateway/logs/version.info 2>/dev/null)
mkdir /tmp/test
mkdir /tmp/bkp
log_to_console "Unpacking archive and removing JndiLookup.class"
cp /opt/vmware/gateway/lib/ab-frontend-0.2.jar /tmp/bkp
unzip -q -o /opt/vmware/gateway/lib/ab-frontend-0.2.jar -d /tmp/test
unzip -q -o /tmp/test/hc.war -d /tmp/test/hc
zip -dq /tmp/test/hc/WEB-INF/lib/log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
rm /tmp/test/hc.war
cd /tmp/test/hc
zip -r -q ../hc.war .
cd ..
rm -rf hc
log_to_console "Repackaging archive"
zip -r -q ab-frontend-0.2.jar .
chown gateway:users ab-frontend-0.2.jar
mv ab-frontend-0.2.jar /opt/vmware/gateway/lib
log_to_console "Replaced updated ab-frontend-0.2.jar, now looking for jndi in other places"
find / -type f \( -name "*.jar" -o -name *.war \) -exec sh -c "zipinfo -1 {} 2>/dev/null | grep 'JndiLookup.class' && echo {}" \; | grep .jar | while read -r line ; do
jar_path=$line
log_to_console "Updating $jar_path"
zip -dq $jar_path org/apache/logging/log4j/core/lookup/JndiLookup.class
chown gateway:users $jar_path
done
log_to_console "Restarting authbroker"
supervisorctl restart authbroker
log_to_console "Cleaning up."
cd /tmp
rm -rf /tmp/test
log_to_console "Verification: We are good if no jars are listed below"
find / -type f \( -name "*.jar" -o -name *.war \) -exec sh -c "zipinfo -1 {} 2>/dev/null | grep 'JndiLookup.class' && echo {}" \;
log_to_console "Verification: Grep authbroker-std-out.log for log4j errors, we are good if no exception is displayed below"
cat /opt/vmware/gateway/logs/authbroker-std-out.log | grep log4j
log_to_console "Done!"
Well we need to connect to UAG and create a uag_rm_log4j_jndilookup.sh file
vi uag_rm_log4j_jndilookup.sh
copy into the file the code, and enable it for execution
chmod +x uag_rm_log4j_jndilookup.sh
running the script
./uag_rm_log4j_jndilookup.sh
now if the UAG version is between 2009 and 2111 it is also necessary to set the -Dlog4j2.formatMsgNoLookups=true option on the authbroker service with the following commands. Note the space between “s/java /java” and a space after “true /” in the command, these are important to ensure the command works correctly and doesn’t attempt to modify the wrong lines in the configuration file.
sed -i ‘s/java /java -Dlog4j2.formatMsgNoLookups=true /’ /opt/vmware/gateway/supervisor/conf/authbroker.ini
In the middle of December month, we found a “little exploit”……
Ok it is not a joke, for mitigate on UAG (Unified Access Gateway that is a Security Server exposed on the Internet for remote access at Horizon infrastructure) it is necessary (To apply the workaround for CVE-2021-44228 to Unified Access Gateway version 2009 through to 2111):
Connect to UAG server with SSH Session
Check if SSH is enabled on UAG server to accept root connection.
Connect from WEB console or VMware Remote Console to UAG virtual appliance and modify in /etc/ssh/sshd_config the following line (for modify use vi commands):
PermitRootLogin no
to
PermitRootLogin yes
Save the file
Restart SSHD service with this command:
service sshd restart
now you are able to create an SSH connection to UAG server, REMEMBER TO DISABLE SSH CONNECTION FOR ROOT USER WITH ROLLBACK THE SETTING INTO SSHD_CONFIG FILE
Append the fix -Dlog4j2.formatMsgNoLookups=true
Type this command:
sed -i ‘s/java /java -Dlog4j2.formatMsgNoLookups=true /’ /opt/vmware/gateway/supervisor/conf/authbroker.ini
Assign Users or Groups permission to Enterprise application
Import XML on UAG and configure it
Import Identity Provider Metadata, select the file XML downloaded from the Enterprise Application data
Select the identity provider
Select More Option
And select SAML e the correct Identity provider (with SAML+PASSTROUGHT the identity token will not passed to horizon Server and it will required a new autentication)
Export Horizon Enrollment Certificate from Horizon installation and install it in to Enrollment Horizon Server
Connect to Horizon Server and export the Horizon View Certificate (The certificate with vdm.ec friendly name)
Now we import the enrollment certificate in to Horizon Enrollment server, we need import in to Certificate Computer store and add the friwndly name vdm.ec
Per procedere all’integrazione con Azure MFA è necessario eseguire delle configurazioni su Azure Active Directory (non entrerò nel dettaglio di queste configurazioni) ma per procedere nell’abilitazione dell’autenticazione a più fattori sull’UAG è necessario accedere all’Enterprise Application creata e scarica il file XML con i metadata. Inoltre verificare che nella Basic SAML Configuration ci siano i riferimenti alla mia infrastruttura UAG pubblica.
Scarico il file XML con i metadata da utilizzare per configurare l’UAG
Importo il file XML nella infrastruttura UAG nelle configurazioni manuali in Identity Bridging Settings
Importo il file XML contenente i metadata selezionado Select
Una volta caricato sull’UAG il file XML con i metadata vado negli edge service settings ed entro nei nelle configurazioni
E configuro l’Auth Methods e l’identity Provider (che mi compare in automatico dopo aver caricato il file XML)
A questo punto posso procedere ad accedere e testare l’accesso con MFA.