Table of Contents
ADSI Edit
If you do not change the expiration period, Connection Server will stop accepting SAML assertions from the SAML authenticator, such as a Unified Access Gateway appliance or a third-party identity provider, after 24 hours, and the metadata exchange must be repeated.
1. Start the ADSI Edit utility on your Connection Server host.
2. In the console tree, right-click ADSI Edit and select Connect to.
3. In the Select or type a Distinguished Name or Naming Context text box, type the distinguished name DC=vdi,DC=vmware,DC=int.
4. In the Computer pane, select or type localhost:389 or the fully qualified domain name (FQDN) of the Connection Server host followed by port 389.
For example: localhost:389 or mycomputer.example.com:389
5. Expand the ADSI Edit tree, expand OU=Properties, select OU=Global, and double-click CN=Common in the right pane.
6. In the Properties dialog box, edit the pae-NameValuePair attribute to add the following values
cs-samlencryptionkeyvaliditydays=number-of-days
cs-samlsigningkeyvaliditydays=number-of-days
In this example, number-of-days is the number of days that can elapse before a remote Connection Server stops accepting SAML assertions. After this period of time, the process of exchanging SAML metadata must be repeated.
Click the OK button on the Multi-valued String Editor window to return to the CN=Common Properties window.
Click on the OK button on the CN=Common Properties window to return to the ADSI Edit window.
Mark your calendar for the time frame entered above. The day after that expiration date will mean that users can no longer log in. The SAML assertion metadata will need to be regenerated and exchanged (probably to a Unified Access Gateway) in order for the trust relationship to be re-established.
locked.properties
If any of the following are added to the locked.properties file, save the file and restart the Connection Server Service. For more information, please reference the Horizon Installation guide located at https://docs.vmware.com/en/VMware-Horizon/2106/horizon-installation.pdf. The two most common properties used in a deployment are the balancedHost and portalHost. More information on these two properties follows the table below.
| balancedHost | Allow HTML Access Through a Load Balancer |
| portalHost | Allow HTML Access Through a Gateway |
| serverPort | Replace the Default HTTP Ports or NICs for Horizon Connection Server Instances |
| serverPortNonSsl | Replace the Default HTTP Ports or NICs for Horizon Connection Server Instances |
| serverProtocol | Property to off-load SSL for client connections |
| psgControlPort | Replace the Default Control Port for PCoIP Secure Gateway on Connection Server Instances |
| frontMappingHttpDisabled | Change the Port Number for HTTP Redirection to Connection Server |
| frontMappingHttpDisabled | Prevent HTTP Redirection for Client Connections to Connection Server |
Allow HTML Access Through a Load Balancer
Connection Server instances that are directly behind a load balancer or load-balanced gateway must know the address by which browsers will connect to the load balancer when users use HTML Access.
You must perform this procedure for each Connection Server that is behind the load balancer or load-balanced gateway.
1. Create or edit the locked.properties file in the gateway configuration folder on the Connection Server host.
For example: install_directory\VMware\VMware View\Server\sslgateway\conf\locked.properties
2. Add the balancedHost property and set it to the address of the load balancer. For example, if users type https://view.example.com in a browser to reach any of the load-balanced Connection Servers, add balancedHost=view.example.com to the locked.properties file.
3. Save the locked.properties file.
4. Restart the Connection Server service to make your changes take effect.
Allow HTML Access Through a Gateway
Connection Server instances that are directly behind a gateway, such as Unified Access Gateway, must know the address by which browsers will connect to the gateway when users use HTML Access.
1. Create or edit the locked.properties file in the gateway configuration folder on the Connection Server host. For example: install_directory\VMware\VMware View\Server\sslgateway\conf\locked.properties
2. Add the portalHost property and set it to the address of the gateway.
For example, if https://view-gateway.example.com is the address that browsers use to access VMware Horizon through the gateway, add portalHost=view-gateway.example.com to the locked.properties file. If the Connection Server instance is behind multiple gateways, you can specify each gateway by adding a number to the portalHost property, for example:
portalHost.1=view-gateway-1.example.com portalHost.2=view-gateway-2.example.com
You must also specify multiple portalHost properties if a single gateway machine is known by more than one name.
3. Save the locked.properties file.
4. Restart the Connection Server service to make your changes take effect.