Lab 5: Apply recommended configuration to the Connection Server

Objective and Tasks

In this lab, you will apply additional recommended configuration to the Connection Server. The tasks and steps outlined here would normally be repeated on each additional Connection Server.

  1. Login to the Horizon admin console.
  2. Configure the gateway services.
  3. Add a new administrator role with managed certificates privilege.
  4. Replace the self‑signed certificate with signed a TLS certificate.
  5. Reboot the Connection Server.
  6. Validate system health.
Expand or collapse content Task 1: Login to the Horizon admin console
  1. Open the Horizon admin console for horizon-01a.
    • On your ControlCenter desktop, open the Google Chrome browser.
    • Click the bookmark on the bookmark bar for Horizon-01a
    • This will connect you to the Horizon administrator console at https://horizon-01a.omnissatraining.com/admin
  2. Login to the Horizon admin console.
    • Username: administrator
    • Password: Pa$$w0rd
    • Domain: OmnissaTraining
Expand or collapse content Task 2: Configure the gateway services

The edge gateway services are enabled by default on a new Connection Server installation. Follow the steps in the Horizon admin console to disable and configure these.

  1. Edit the settings for Connection Server horizon-01a
    • Navigate to Settings > Servers
    • Select the Connection Servers tab.
    • Select the entry for HORIZON-01A and click EDIT.
  2. Configure the HTTP(s) Tunnel service.
    • Deselect the tick box next to Use Secure Tunnel connection to machine.
  3. Configure the PCoIP Security Gateway service.
    • Deselect the tick box next to Use PCoIP Security Gateway for PCoIP connections to machine.
    • This should already be deselected in the version of Horizon 8 being used in the lab.

Use PCoIP Security Gateway should already be deselected in the version of Horizon 8 being used in the lab.

  1. Configure the Blast Secure Gateway service.
  2. Click OK to save the configuration.
Expand or collapse content Task 3: Add a new administrator role with Managed Certificates privilege

In this lab you will use the Certificate Management feature of the Horizon Admin console to install a signed certificate. Before you can do that, you need add a new administrator role with managed certificates privilege.

  1. Navigate to the Certificate Management feature of the Horizon Admin console.
    • Navigate to Settings > Certificate Management.
[DEV] Horizon 8 - Install Configure Manage - OT2-JK

Notice that the buttons under Certificate Management are all grayed out. This is because default Horizon Administrators do not have the Manage Certificates role privilege.

You need to add a new Role in Global Administrators View and assign the Manage Certificates privilege. This only needs to be done once per pod.

  1. Start the Add a Role wizard.
    • Navigate to Settings > Administrators.
    • Select the Role Privileges tab.
    • Click ADD.
  2. Add a new Role and assign the Manage Certificates privilege.
    • Enter HorizonCertAdmins as the new role name.
    • Scroll down to page 2 of the privileges to find and select Manage Certificates.
    • Click OK.

You can now assign the new role you created to an administrator user or group.

  1. Start the Add Administrators or Permission wizard.
    • Select the Administrators and Group tab.
    • Click ADD.
  2. On the Select administrators or groups screen:
    • Click ADD.
    • On the Find Users or Groups click FIND.
    • Select the Administrators group and click OK.
    • Click NEXT.
  3. On the Select a role screen:
    • Select the newly created HorizonCertAdmins role at the bottom of the list.
    • Click FINISH.

With the new role now created you now need to log out of Connection Server admin and log back in to pick up the role changes.

  1. Log out of Horizon admin and log back in for role changes to take effect.
    • Click on administrator in the top right corner and select Log Out.
  2. Login to the Horizon admin console.
    • Username: administrator
    • Password: Pa$$w0rd
    • Domain: OmnissaTraining
Expand or collapse content Task 4: Add the signed TLS certificate to the Connection Server

Add the signed TLS certificate to the Connection Server to replace the default self-signed certificate.

You will use the Horizon admin console feature to import a signed certificate to be used as the "Machine Identity" certificate for this Connection Server.

  1. Navigate to the Certificate Management feature of the Horizon Admin console.
    • Navigate to Settings > Certificate Management.
    • With the new role assignment you added in the previous task you should have permissions to manage certificates and some of the buttons are now available.

Note that the current certificate with a Usage of Machine Identity has a Status of Invalid. This is because the current certificate is self-signed and  not trusted.

  1. Start the Import Signed TLS Certificate wizard.
    • Select IMPORT.
  2. Select the format of certificate file you will import.
    • Select PFX as the Certificate Type.
  3. Browse to and select the Certificate File.
    • Click BROWSE.
    • Browse to folder path S:\SSL\omnissatraining.com\PFX
    • Select the omnissatraining_with_pwd.pfx file.
  4. Complete the Import Signed TLS Certificate wizard.
    • Enter Pa$$w0rd for the certificate password.
    • Ensure the Certificate Usage field is set to Machine Identity.
    • Click IMPORT.

You should see a confirmation that the certificate was imported successfully and you will see the new certificate for Machine Identity is now in the list. Also note that it is not currently In Use.

Expand or collapse content Task 5: Reboot the Connection Server

With the new TLS certificate in place you need to reboot the Connection Server for it to pick it up and use the new certificate.

  1. Use the provided script to reboot the Connection Server horizon-01a.
    • Close Chrome
    • On the ControlCenter desktop use File Explorer to browse to S:\Scripts
    • Run and monitor the progress of S:\Scripts\RestartHorizon01a.bat

This script will reboot the Connection Server and provide feedback when it is available again.

  1. When the Connection Server is back up and running, check that the new TLS certificate is now being used.
    • On your ControlCenter desktop, open the Google Chrome browser.
    • Select Horizon-01a from the bookmark bar.
  2. Login to the Horizon admin console.
    • Username: administrator
    • Password: Pa$$w0rd
    • Domain: OmnissaTraining
  3. Validate that the new Machine Identity certificate is in use.
    • Navigate to Settings > Certificate Management.
    • Verify that the new certificate is shown as In Use for Machine Identity.
    • Click on the certificate that is In Use for Machine Identity and confirm that it has a subject name that includes CN=*.omnissatraining.com

You should also see that Chrome now trusts the Connection Server certificate. You can optionally use Chrome to view the details of the presented certificate.

Expand or collapse content Task 6: Validate system health

Check everything is healthy on the new Connection Server.

  1. Use the Horizon admin console for horizon-01a.
  2. View the status of the Connection Server.
    • Navigate to Monitor > Infrastructure.
    • Click View next to the entry for HORIZON-01A.
    • Review the status of the server, services, and connected services.

This concludes this lab.

0 Comments

Add your comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.