VMware Access Point 2.8

Last Modified: Jan 1, 2017 @ 2:52 pm


💡 = Recently Updated


Access Point is a replacement for Horizon Security Servers. Advantages include:

  • You don’t need to build extra Connection Servers just for pairing. However, you might want extra Horizon Connection Servers so you can filter pools based on tags.
  • Between Access Point and Horizon Connection Servers you only need TCP 443. No need for IPSec or 4001 or the other ports. You still need 4172, 22443, etc. to the View Agents.
  • No need to enable Gateway/Tunnel on the internal Horizon Connection Servers.


  • It’s Linux so you need some Linux skills.
  • No management GUI. Use REST instead.

View Security Server is still developed and supported so you’re welcome to use that instead of Access Point.

More information at VMware Blog Post Technical Introduction to Access Point for Secure Remote Access.

VMware End-User Computing posted a YouTube video Access Point Overview and Demo showing deployment and configuration using curl.


VMware Technical White Paper Blast Extreme Display Protocol in Horizon 7. Open these ports from any device on the Internet to the Access Point Load Balancer VIP:  💡

  • TCP and UDP 443 (includes TCP Blast Extreme)
  • TCP and UDP 4172. UDP 4172 must be opened in both directions. (PCoIP)
  • TCP and UDP 8443 (for HTML Blast)

Open these ports from the Access Points to internal:

  • TCP 443 to internal Connection Servers
  • TCP and UDP 4172 (PCoIP) to all internal Horizon View Agents. UDP 4172 must be opened in both directions.
  • TCP 32111 (USB Redirection) to all internal Horizon View Agents.
  • TCP and UDP 22443 (Blast Extreme ) to all internal Horizon View Agents.
  • TCP 9427 (MMR and CDR) to all internal Horizon View Agents.

Open these ports from any internal administrator workstations to the Access Point appliance IPs:

  • TCP 9443 (REST API)
  • TCP 80/443 (Edge Gateway)

Network Profile

  1. Versions:
  2. Before importing the Access Point OVF you will need to configure a Network Profile. In vSphere Web Client, go to the Datacenter object. On the right, switch to the Manage > Network Protocol Profiles tab.
  3. Click the plus icon.
  4. In the Select name and network page, enter a name, select the DMZ VM Network for your Access Point appliance and click Next.
  5. In the Configure IPv4 page, enter the subnet information and Gateway.
  6. Don’t configure an IP pool. Click Next.
  7. In the Ready to complete page, click Finish.

Import OVF

Chris Halstead VMware Access Point Deployment Utility created an OVF Tool deployment command for VMware Access Point. The entire Access Point configuration can be specified during OVF Tool deployment.
Screen Shot 2015-11-17 at 3.59.03 PM

Mark Benson at VMware Community Using PowerShell to Deploy VMware Access Point has a PowerShell script that runs OVF Tool to deploy and configure Access Point.

To deploy the Access Point using VMware vSphere Web Client:

  1. In vSphere Web Client, right-click a cluster and click Deploy OVF Template.

  2. In the Select source page, browse to the downloaded euc-access-point-2.8.0.ova file, and click Next.

  3. In the Review Details page, click Next.
  4. In the Select configuration page, select a Deployment Configuration. For some reason VMware recommends multiple NICs. It’s more secure to have a single NIC in the DMZ and funnel all traffic through firewalls.
  5. Even if you select Single NIC, the OVF deployment wizard asks you for multiple NICs.
  6. In the Customize template page, give the appliance an IP address, and enter DNS addresses.
  7. Scroll down and enter more IP info. Then expand the Password Options section.
  8. Scroll down. Expand Password Options, and enter passwords. Notice the complexity requirements for the passwords. If not complex enough then they won’t work.
  9. If you see Horizon Properties, expand it. In 2.8 and newer, these settings are configured in the admin interface.
  10. For the Horizon server URL, enter the internal load balanced URL for Horizon. For example: https://view.corp.local:443.
  11. In Access Point 2.5 and newer, you can specify the External URLs now. For older Access Point, you configure these using REST calls.
  12. For the Horizon server thumbprints, get the thumbprint from the internal View certificate. Open the internal View certificate and on the Details tab copy the Thumbprint.
  13. Go back to the OVF deployment wizard and paste the thumbprint.
  14. At the beginning of the thumbprint after the equals sign there might be a hidden character. Remove it. If you don’t remove the hidden character, then nothing will work.
  15. The other property groups are for Identity Manager and AirWatch. You can skip them by clicking Next.
  16. In the Ready to complete page, finish importing the OVF and power on the appliance.
  17. If Access Point 2.0, see VMware 2144090 EUC Identity Manager, Identity Manager Connector and Access Point patch for CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow for a glibc patch.

You can also use the OVFTool to import the OVF. When pasting the thumbprint make sure you remove the hidden character at the beginning. This entire command is one line. There are no spaces between the dashes and the arguments.

"C:\Program Files\VMware\VMware OVF Tool\ovftool.exe" --X:enableHiddenProperties --powerOffTarget --powerOn --overwrite --vmFolder=Horizon --net:Internet="VM Network" --net:ManagementNetwork="VM Network" --net:BackendNetwork="VM Network" -ds=SSD-esx01 --name="Access Point" --ipAllocationPolicy=fixedPolicy --deploymentOption=onenic --prop:ip0= --prop:adminPassword=P@ssw0rd --prop:rootPassword=P@ssw0rd --prop:settingsJSON="{\"edgeServiceSettingsList\": { \"edgeServiceSettingsList\": [ { \"identifier\": \"VIEW\", \"enabled\": true, \"proxyDestinationUrl\": \"https://vcs01.corp.local\", \"proxyDestinationUrlThumbprints\": \"sha1=32 4d bb ad de 13 b5 39 cc 78 21 a8 42 90 a3 f6 aa 5d 69 f1\", \"pcoipEnabled\": true, \"pcoipExternalUrl\": \"\", \"blastEnabled\": true, \"blastExternalUrl\": \"https://view.corp.com\", \"tunnelEnabled\": true, \"tunnelExternalUrl\": \"https://view.corp.com\", \"proxyPattern\":\"/^|/downloads(.*)\" } ] }}" "\\fs01\bin\VMware\Horizon 7\euc-access-point-" "vi://corp%5cadmin:P%40ssw0rd@vcenter01.corp.local/Datacenter/host/Cluster 1"

For the last argument with the vi:// URL, special characters in the password must be encoded.

Admin Interface

  1. In Access Point 2.8 and later, you can point your browser to https://My_AP_IP:9443/admin/index.html, and login as admin.
  2. If you have exported settings, you can import it now.
  3. Or, on the right under Configure Manually, click Select
  4. Next to Edge Service Settings, click Show.
  5. Next to Horizon Settings, click the gear icon.
  6. Change Enable Horizon to Yes.
  7. As you fill in these fields, hover over the information icon to see the syntax.
  8. The Connection Server URL should point to internal load balanced DNS name for your internal Connection Servers.
  9. For the Proxy Destination URL Thumb prints, get the thumbprint from the internal View certificate. Open the internal View certificate, and on the Details tab, copy the Thumbprint.
  10. The External URLs should point to the load balanced IP/DNS name for your Access Point appliances.
  11. Then click More.
  12. By default, Access Point will only forward /portal to the Connection Server. You can edit the Proxy Pattern and enter / to forward the root page. If you change the Proxy Pattern to /|/downloads(.*), then users can also download View Clients that are stored on your View Connection Servers.
  13. Click Save when done.
  14. If you want Access Point to authenticate users using non-AD methods (e.g. two-factor), enable the Authentication Settings section, and configure the settings as appropriate for your requirements.
  15. Scroll down to the Advanced Settings section, and next to SSL Server Certificate Settings, click the gear icon.
  16. Next to Private Key, click the Select link.
  17. Browse to a PEM keyfile. Certificates created on Windows have to be converted to PEM before they can be used with Access Point. You can use openssl commands to perform this conversion. The private key should be unencrypted.
  18. Browse to a PEM certificate file (Base-64) that contains the server certificate, and any intermediate certificates. The server certificate is on top, the intermediate certificates are below it.
  19. Click Save when done.
  20. If you scroll down to Support Settings, click the icon next to Export Access Point Settings to save the settings to a JSON file. If you need to rebuild your Access Point, simply import the the JSON file.
  21. If you point your browser to the Access Point external URL, you should see the View Connection Server portal page. Horizon View Clients should also work to the Access Point URL.

Certificate Prep

This section is only needed for Access Point versions prior to 2.8. For 2.8 and later, use the Admin Interface.

  1. Create a PEM certificate and unencrypted private key that matches the DNS name that will resolve to the Access Point appliance’s IP address (or load balancing VIP that directs traffic to multiple Access Point appliances).
  2. If your certificate is currently a .pfx file then you’ll first need to convert it to PEM. Install OpenSSL. Then run the following commands. The first command extracts the certificates and key from the .pfx. The second command converts the extracted key to RSA format.
    openssl pkcs12 -in MyCert.pfx -out MyCert.pem –nodes
    openssl rsa -in MyCert.pem -out MyCert.key
  3. If you open your RSA private key file and/or certificate with Notepad++, notice they are multi-line. JSON requires them to be converted to single lines with \n between each line. Note: make sure it is an RSA PRIVATE KEY. If it doesn’t say RSA then it won’t work.
  4. Look at the bottom of Notepad++ to determine the EOL type. If Dos\Windows, highlight the entire key or certificate and do a Replace All in Extended mode. Replace \r\n with \\n.

  5. If UNIX, highlight the entire key or certificate and do a Replace All in Extended mode. Replace \n with \\n.

  6. Wherever there used to be a newline it should now be \n and the entire key or certificate should be on one line.

  7. Repeat for both the private key and certificates. If your server certificate was signed by an intermediate, convert the intermediate to a single line too.

REST Configuration – Certificate

This section is only needed for Access Point versions prior to 2.8. For 2.8 and later, use the Admin Interface.

  1. If you point your browser to https://MyApplianceIP:9443/rest/swagger.yaml it should bring up a list of supported REST commands.
  2. If you scroll down to CertificateChainAndKeyWrapper, notice that it wants the server certificate first, and then intermediate certificate after it.
  3. In Google Chrome, install the Postman application. Alternatively, you can use the Swagger UI built into the appliance. See Daniel Langenhan Configuring an Horizon Accesspoint (the easy way) at VMware Communities.
  4. To launch Postman, look in your taskbar for the Chrome App Launcher. Then run Postman.

  5. In Postman, change Authorization from No Auth to Basic Auth.
  6. In Postman, configure the Authorization section with the appliance’s REST API credentials. All Postman operations must include the Authorization header.
  7. In Postman, configure a PUT operation to https://MyApplianceIP:9443/rest/v1/config/certs/ssl.
  8. Set the Body to raw > JSON.
  9. JSON objects are enclosed in braces. When you enter the left brace, Postman should add the second brace automatically.
  10. The two parameters are privateKeyPem and certChainPem. Each parameter name is enclosed in quotes. Then put a colon after each parameter name.
  11. For privateKeyPem, copy and paste the single-line PEM private key prepared earlier. The entire single-line private key should be enclosed in quotes.
  12. Make sure there’s a comma at the end of each parameter, except the last parameter. The comma is after the quotes.
  13. For certChainPem, first copy/paste the server certificate. Make sure there’s a \n at the end of the server certificate.
  14. Then copy/paste the intermediate certificate immediately after the first (server) certificate. Both certificates should be on the same line and enclosed in the same quotes.
  15. Don’t put a comma after the last parameter.
  16. Click Send. You should get a 200 response and a JSON containing the certificate. If don’t get a 200 response then check /opt/vmware/gateway/logs/admin.log on the appliance. See the Logs section for more details.

From VMware Communities EUC Access point appliance Received fatal alert: handshake_failure: Location of trusted keystore in EUC access point appliance is


Keystore password is changeit

Use keytool -import -trustcacerts -alias alias -file <location of root .cer file> -keystore cacerts -storepass changeit to import root certificate. Cert must be in X.509 format.

REST Configuration – External URLs

This section is only needed for Access Point versions prior to 2.8. For 2.8 and later, use the Admin Interface.

You can use Sean P Massey’s PowerShell script (Horizon EUC Access Point Configuration Script) to perform the same REST configuration. Also see Jeramy Thompson’s VMware Access Point GUI 2.0.

  1. To see the current View Edge Service configuration, do a GET to https://MyApplianceIP:9443/rest/v1/config/edgeservice. If Access Point 2.0, the External URLs won’t be configured.  Alternatively, you can use the Swagger UI built into the appliance. See Daniel Langenhan Configuring an Horizon Accesspoint (the easy way) at VMware Communities.

  2. To configure the External URLs, configure another PUT to https://MyApplianceIP:9443/rest/v1/config/edgeservice/view.
  3. See pubs.vmware.com for sample JSON.
  4. You must specify the Thumbprint again. This is the same one specified during the import of OVF. If you don’t specify it, then it is erased when you click Send.
  5. Setting blastExternalUrl to a :443 URL causes Blast Extreme to port share with the tunnel. Or you can set it to :8443. Port sharing works on Access Points, but not on View Security Servers.
  6. Set proxyPattern to "/|/downloads(.*)". proxyPattern defines the URLs that are forwarded to View Connection Server. Anything not in this list will be ignored. The appliance already has default patterns for /portal, /broker and /xmlapi so there’s no need to include them here. /downloads is included so users can download the Horizon Client from the Horizon Connection Server.
  7. Click Send. You should get a 200 response.

  8. In your Horizon Connection Servers, there is no need to enable any of the Gateways.

  9. If Horizon 7, HTML Access won’t work through Access Point unless you disable Origin Check or configure the Connection Server’s locked.properties with the Access Point addresses. Also see 2144768 Accessing the Horizon View Administrator page displays a blank error window in Horizon 7.

REST Configuration – Ciphers

This section is only needed for Access Point versions prior to 2.8. For 2.8 and later, use the Admin Interface.

A default configuration of Access Point 2.0.1 will get a B at http://www.ssllabs.com due to acceptance of an RC4 cipher.

You can improve the ciphers by doing the following:

  1. If you do a GET to https://AccesPointIP:9443/rest/v1/config/system, you’ll see the default list of cipher suites, including the RC4 cipher.
  2. Change the operation to a PUT and copy the JSON returned from the previous GET. Change the ciphers to TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 or similar as detailed by Dennis Sigmond at Secure your VMware Horizon Access Point with an A score on SSL Labs.
  3. When you run ssllabs again you should get an A.


In 2.8 and later, you can download logs from the Admin Interface.

If you are having trouble with the appliance then you can review the logs at /opt/vmware/gateway/logs. You can less these logs from the appliance console.

Or you can point your browser to https://MyApplianceIP:9443/rest/v1/monitor/support-archive. This will download a .zip file with all of the logfiles. Much easier to read in a GUI text editor.

For initial configuration problems, check out admin.log.

For Horizon View brokering problems, check out esmanager.log.

Also check if vmware_ap_supervisord service is started as detailed by Jeremy Banker at Access Point Hard Reset Recovery.

Load Balancing

See http://www.carlstalhood.com/horizon-view-load-balancing-netscaler-11-1/ to load balance Access Points.

Related Pages

84 thoughts on “VMware Access Point 2.8”

  1. Hi Guys,

    Seeing a very strange issue with the latest version of accesspoing and wondering if anyone can shed any light and help.

    I have blast working with out an issue

    The issue comes when connecting over PCOIP. For some reason this gets a black screen on connection. From the switch we see a deny to the internal IP address of the device connecting through the access point.

    Firstly how does it get this address and secondly any idea how to fix this?

    1. We have to allow 50002 out bound from the VDI’s however when you look at the deny’s on the switch as said above it is the internal IP of the device connecting in; must build some sort of VPN?

  2. Hi Carl,

    I have an Access Point 2.7.2 integrated in a vIDM 2.7.1 portal. This AP acts as “proxy” for RDSH apps (that are served by an internal connection server configured). Internally it’s all OK. Externally, the user passes throw AP.

    If I delete in the Edge service configuration the authmethod, passthrow wins and the user see the RDSH app.

    If I configure an authentication method (I would like RSA + SAML), it asks RSA and after a while says “Failed to connect to Connection Server”.

    I think the problem is in “trust” between AP and vIDM. I have tried to configure SAML Metadata, etc., but I’m not sure which are the correct steps. Can you help me?

    Thank you.

  3. Hi Carl,

    I have configured an Identity Manager 2.7.1 with two Access Points 2.7, one vs an RDSH farm AP1, (throw an Horizon View 7.0.1 Connection Server) and the other vs an Horizon View 6.2.1 farm (a.k.a reverse proxy and connected externally throw Security Gateways). From external, users talk with RSA servers to login and see vIDM portal

    I have applied the public SSL certificate and now I can view my vIDM portal from Internet. Internally all works fine. From Internet when I click on an icon on my portal (RDSH app or VDI desktop) I receive an error like “there is an error launching the resource. Contact your administrator”.

    Have you ideas?

    Thank you


  4. Hi Carl, I really appreciate comprehensive information for setting up AP’s. I have set up AP 2.7.2 in our test environment and would like to configure Azure MFA. Can you please share some details for setting up Azure MFA.

  5. Hey Carl, i have a requirement where i have 6 internal connection server which is running behind the VIP of netscaler. i have a problem as per my configuration our users are hitting to abc.test.com for internal horizon access and i want to set the same url for accessing the horizon view from outside through access point.Do i need to configure anything more for that ?


  6. I have been tweaking the security of my access point appliances and have discovered that by eliminating the 128 bit cipher, I am able to now get a score of 100 on the cipher strength portion of the SSL Labs test. My config is below if anyone wants to use it. It makes little to no difference on the compatibility. I’m still only getting a 90 on the key exchange score which is preventing me from getting an A+, so I’m going to keep working on that. Please let me know if anyone has been able to get a higher score there. FYI I am running the new 2.5 version of the appliance that was released with Horizon 7

    “locale”: “en_US”,
    “adminPassword”: “*****”,
    “ssl30Enabled”: false,
    “tls10Enabled”: false,
    “tls11Enabled”: true,
    “tls12Enabled”: true

    1. One small tweak and I was able to get an A+. I just disabled TLS 1.1 which is fine if your users connect from the latest Horizon client and web browsers. The config is below:

      “locale”: “en_US”,
      “adminPassword”: “*****”,
      “ssl30Enabled”: false,
      “tls10Enabled”: false,
      “tls11Enabled”: false,
      “tls12Enabled”: true

  7. Hi Carl, why my postman refuse to show privateKeyPem and cerChainPem in a single line? I’ve already format via notepad++, it’s “Dos/Windows” format and after replace “\r\n” to “\\n”, it’s showing one line in notepad though.

  8. Carl, I wanted to send you a big THANK YOU for this blog post. Following everything here I was able to get my access point up and configured properly with a third party cert. I’m also getting an A on the SSL checker. Hats off to you on this extremely helpful post and all the work you put into it!

  9. I have NetScalers, 2 Access Points in the DMZ and 4 Connection Servers Internal [2 for internal users / 2 for use w/ access points].
    Do I need to setup a VIP for the 2 Connection Servers that are being used with the Access Points? If yes is it just 443 that needs the VIP?
    I have read the “Horizon View Load Balancing – NetScaler 11”, it’s a mash up of Access Point, Connection Server internal / paired, and Security server configurations. When it says Internal Connection Servers i’m not sure if you mean for internal users or to use with Access Points.

    1. Yes to load balancing Internal Connection Servers for Access Points. Access Points point to the load balancing VIP.

      Access Points talk to internal Connection Servers in the same manner as internal clients. You can use the same Connection Servers for both internal users and Access Points. No more pairing needed.

      1. Awesome thank you for the quick reply and all the help both here and on the Citrix forums!

        I’m using the second set of Connection Servers so we can use tags to filter.

  10. Hey Carl,

    So one more question for you. I have this all up and running now thanks, My issue is with the HTML access (Blast)

    I have the following setup:

    “identifier”: “VIEW”,
    “enabled”: true,
    “proxyDestinationUrl”: “https://FQDN of server:443”,
    “proxyDestinationUrlThumbprints”: “sha1=XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX”,
    “pcoipEnabled”: true,
    “pcoipExternalUrl”: “External IPAddress:4172”,
    “blastEnabled”: true,
    “blastExternalUrl”: “https://vdi.DomainName.com:8443”,
    “tunnelEnabled”: true,
    “tunnelExternalUrl”: “https://vdi.DomainName:443”,
    “proxyPattern”: “/”,
    “matchWindowsUserName”: false,
    “gatewayLocation”: “External”,
    “windowsSSOEnabled”: false

    Internally when you go diretly to the serverFQDN and launch HTML access everything works great. However when accessing the HTML access from the access point an error comes up saying “Failed to connect to the Connection Server.” Now I have seen this before and its related to the settings in the view connection server URL’s (now currently unticked) If I change them to point to vdi.DomainName.com and then restart the connection server, and untick them again the access point works but this intern brakes internal access. Mainly because to avoid split brain dns the internal domain is different to the external domain. I can of course add the external domain internally to the DNS server and make this work but I was trying to avoid this and thought the access point would allow me to get away with this. Any thoughts?


    1. Sorry for repeating some of the above but thought I would update with more information and see if anyone (looking at you carl :P) has any ideas or suggestions.

      I seem to have a lot of issues with the access point, so for now think I am going to go back to security server, then continue to play with this to understand it more as there seems to be a few things that are a bit strange. Unless you have any thoughts on how to fix them.

      My network setup is as following:


      the domains are as follows

      External Domain.com
      Internal ad.domain.com

      I was trying to use the EUC to avoid having multiple connection servers for different authentication requirements.

      From external we need dual authentication and internal we just need AD authentication.

      We have a older setup working with secserver–connectionserver1 and connectionserver2

      I could use that model and will work but it seems the access point is meant to work in the way we need and would make more sense.

      The current configuration of the access point is as follows:

      “identifier”: “VIEW”,
      “enabled”: true,
      “proxyDestinationUrl”: “https:/connectionserver.ad.domain.com:443”,
      “proxyDestinationUrlThumbprints”: “sha1=XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX”,
      “pcoipEnabled”: true,
      “pcoipExternalUrl”: “XX.XX.XX.XX:4172”,
      “blastEnabled”: true,
      “blastExternalUrl”: “https://vdi.DomainName.com:8443”,
      “tunnelEnabled”: true,
      “tunnelExternalUrl”: “https://vdi.DomainName:443”,
      “proxyPattern”: “/”,
      “matchWindowsUserName”: false,
      “gatewayLocation”: “External”,
      “windowsSSOEnabled”: false

      The view connection server before unticking the settings where configured:

      HTTPS Tunnel: https://connectionserver.ad.domain.com:443 — this is now unticked

      BLAST Gateway: https://connectionserver.ad.domain.com:443 — this is now unticked

      I have installed the wildcard certificate as well. uploaded as per the guide above.


      Connecting to the Access point over HTTPS works and the correct certificate is displayed but when clicking on HTML access you recive an error “Failed to connect to the Connection Server.”

      To fix this I need to go onto the connection server and change the

      HTTPS Tunnel: https://vdi.domain.com:443

      BLAST Gateway: https://vdi.domain.com:443

      restart the services, then untick them and restart the services again.

      This then allows https access to work. So ok I can live with that and I can even add a DNS entry for vid.domain,com internally so clients will work.

      It does mean you cant login to the admin portal using the severname only localhost and the vdi address.

      Question 1: is this by design or a bug?


      I have a strange issue with certificate

      On my phone using the horizon client the certificate is fine.

      From a PC or a thin client get a invalid certificate. HTTPS from anywhere the certificate is fine. Is this because the vdm certificate on the connection server is not vdi.domain,com?

      Sorry for the long question.


      1. We needed the same thing “From external we need dual authentication and internal we just need AD authentication.”

        I did this by doing the following –
        4 Internal Connection servers
        ALL 4 are in the same group, they all replicate changes.
        The nice thing is 2 factor is PER Connection Server, not per group.

        view.domain.com resolves internally to the VIP on the netscaler to these two connection servers –
        CC 1
        CC 2
        These two do NOT have two factor enabled

        These two resolve to “viewext.domain.com” internally, also a VIp on the netscaler (That no one uses internally)
        CC 3
        CC 4

        The external dns view.domain.com then points to the VIP of the netscaler that points to the 2 access points, that then point to the VIP of the netscaler that points to the two CC servers (CC 3 and CC 4) that have two factor enabled.
        We use Azure MFA on-prem, works awesome btw…
        (Traffic flows – ASA FW – “Netscaler VIP for VM AP1/2” – NS-VIP for CC3/4 )

        I used an internal CA (domain.pri) and made a SAN cert for server1.domain.pri server2.domain.pri view.domain.com etc… I installed this on all 4 servers internally.
        I then used the Netscaler’s to VIP’s (view.domain.com) to use a Public wildcard cert to get SSL working.
        After I configured the VM AP’s for the correct thunbprints, IP’s etc. all works excellent!

        Carl can probably make sense of this, if I need to explain further I’ll try.


        1. Thanks Aaron,

          We are just using 1 connection server and 1 access point with no load balances for now.

          I have it working now:

          everyone internally and externally use vdi.domainname.com, internally it goes directly to the connection server and externally to the access point.

          Everything seems to be working pretty well in this setup. Now all I need to work out is how to setup DUO as a secondary authentication through the access point.

  11. Hi Carl,

    Have you had any experience with multi Nic setup?

    I have been trying this for a while now with some major issues. I am actually going to test this in a 2 Nic setup and see if the issues persist. However in the current setup (3 Nics) there are no end of issues.

    To start I cant actually access either the main page or the API. After investigation and looking at the routes the device after deployment only configures one gateway for one of the networks at random. This obviously means that when trying to route from different subnets to different parts of the EUC it does not work. If I add more routes it breaks another part, its a never ending cycle.

    Even so when I do get routing working on the API side for example I still cant actually load anything from the device testing out the following URL: https://DeviceIP:9443/rest/swagger.yaml

    I tried adding the routes in manually and as I add a default route for a interface, one of the other interfaces stops working. I have tried to set the routes with different metrics, But that did not make a difference.

    Ill update after trying the two network setup. If you have any thoughts on this please let me know. It seems the device just does not work as advised from VMWare.


    1. I’ve only done Single NIC. I can’t think of any benefit to multiple NICs. But I can think of security implications of multiple NICs.

      1. We need at lease two I think as we need it to sit one leg in the DMZ and one on the internal Network rather than opening the DMZ up to the internal network.

        However I am not sure this design is actually going to work as the device does not seem to be able to handle it.

        I will put it on a single NIC and configure the firewalls either side.

        Thanks for the thoughts

        1. The problem with dual-homing is that you essentially bypass the DMZ-to-internal firewall. That seems less secure than making your DMZ-to-internal firewall inspect all traffic coming from the Access Point.

          1. When I thought about it like that with my network engineer that’s what we thought.

          2. So now I have this on a single NIC I still cant get access to anything. The pass-through or the rest API. Any ideas on trouble shooting, I can ping the device.

          3. That usually means the password isn’t secure enough or there’s a problem with what you typed in during the OVF deployment. View the file /opt/vmware/gateway/logs/admin.log.

          4. Thanks Carl,

            I did not know where that log was and you where correct.


  12. Hi Carl,

    I’ve fallowed your instruction and everything works fine, except HTML Access. I disabled ‘origin check’.
    When I trying to access https://hv.myportal.com/portal/webclient/index.html#/ via Access Point, I get user and pass input box and then error “Failed to connect to Connection Server”.

    Direct connection via Connection Server works fine.

    Any guess what might be wrong?

    1. It’s working for me. Do you have the Blast Gateway enabled on the Connection Server? If so, try disabling it.

      1. Nope.

        It’s unchecked.

        On AP’s esmanager.log there is such NullPointerException

        04/28 11:32:59,042[nioEventLoopGroup-31-2]ERROR proxy.HttpsProxyRequestHandler: Error during request interceptor invocation
        at com.vmware.euc.gateway.edgeservice.sdk.session.Session.hasCookie(Session.java:163)

  13. All I have to say is THANK YOU. This article was a huge help in getting this useful, but obtusely configured appliance up and working. I’m not sure I would have succeeded without it.

  14. Hi Carl, Thank you for your post, its very helpful. Is there a chance you can provide some guidance on securid-auth RSA configuration? especially in the file conversion and post.
    Thank you

    1. My plan is to do RADIUS. I’ll have to consider RSA since I currently don’t have it in my home lab.

      1. Hi Carl,

        I have a question on RADIUS, I have this setup and working in terms of logging on through the access point. However the problem I have is that the user is then prompted to type there credentials again when it hits the connection server. Obviously I don’t want this to happen. I really want the access point to pass the authentication through meaning I don’t have to have two connection server (1 for two factor (external) and 1 for standard access (Internal))

        There is no clear information on this in the documentation. I was looking at when doing smart card access to make the pass through work you need to setup a fake SAML configuration. Do you need to do the same thing or something similar for RADIUS?

        Any ideas are welcome, while I continue to research.


          1. I was just reading that link actually, However I am getting a strange issue.

            I had it set to:

            “windowsSSOEnabled”: true,
            “authMethods”: “radius-auth”

            Originally so it would just use the radius authentication.

            Once radius works and logs in and then my user is presented with the standard logon page. I want it to pass the logon.

            I have tried:

            “authMethods”: “radius-auth && sp-auth”
            “authMethods”: “radius-auth || sp-auth”

            all with the same effect. Any idea on what I am missing? I would have thought it would have logged strait in.


          2. I think they are missing the password-auth option? Think thats the one I need to use after radius?

      2. Any other thoughts on the bellow, this is the last piece in the puzzle.

        I have tried a lot and there does not seem to be an obvious reason why the user is being double promoted. Its as if the details are not being passed through once they are authenticated against the radius setup.

        Basically I am trying to do all the authentication on the Access point,

        Duo then either pass through the details for login or active directory authentication as a secondary,

        I feel like I am missing something but not sure what.


        1. I actually have sorted the issue I was using a incorrect setting on the proxy service for Duo.

          Thanks to everyone especially Carl for helping me through this setup and learning curve 😀

          1. Hello! Can you go a bit more into detail on this? We are having the same issue with smart card auth. The user logs in via smart card but then is prompted for username/password. What is this proxy service for Duo you are mentioning?

  15. Hei, great job, really easy to use and to share guide. I suggest you to add one sentence in troubleshooting area – Also check if vmware_ap_supervisord service is started.

  16. Hi Carl,

    Is multiple nics setup secure than single nic? I thought single will be more secure as traffic need to go through the firewall. I just want to see what you view is. And I couldn’t find any documentation from VMware support their multiple nics setup argument.

    This is what VMware recommended.

    “Using three network interfaces is the most secure option. With a third NIC, external, internal, and management traffic all have their own subnets.”


  17. Carl, Great work on these articles!

    i am wondering how do you monitor your Access Points, we had an issue today where Authenticaiton via the client would hang, but were able to connect via HTML

    Looking at ways to avoid this if we can

    Much appreciated

  18. Carl, Great write up. I have a question regarding syslog. I have the basic OS syslog forwarding to my syslog server, but not the logs specific to Access Point. Syslog-NG is not my strong suite, do you have any write ups to get those logs out to a remote syslog automatically?

  19. Thanks for the awesome walkthrough. I’m having an issue where I get everything set up, SSL certs are applied correctly, I configure View to turn off tunneling, etc on the connection server, but I can’t connect to my View instance via the access point. I log into HTML access, select my virtual desktop, click it, but get a connection refused error from Chrome or IE. Have you run into this before?

  20. I am having a strange issue where the Access point will not tunnel Blast traffic but PCoIP and RDP are working. Have you encountered this? I have a second Access point that is working fine but I cannot see any differences between them except the one that is not working has a cert for the specific external url and the subject alternative names are the names of the AP and the one that is working only has a cert for the server itself but then when users go to use the url they get a cert error because the names don’t match. I cannot seem to win here.

    1. FYI this was resolved when we replaced the certificate with a cert that only contained the URL and did not contain subject alternative names of the access points.

  21. Carl,

    I do the SSL cert piece and I did this before in our POC. Now for whatever reason I push the cert, and it reflects on the page at /rest/v1/config/certs/ssl but the website still shows it’s using the self signed. How can I fix this?

      1. Ok, that’s probably my issue. I’ve been expecting the certificate to show at the 9443 pages. I’m still waiting on FW configurations before I can test the redirect all of the way down to our internal machine.

  22. Great article and it will certainly help once I finish upgrading to view 6.2. After you finish deploying the access point, do you simply remove the existing security server from view administrator?

    1. proxyPattern defines the URLs that are forwarded to View Connection Server. Anything not in this list will be ignored. The appliance already has default patterns for /broker and /xmlapi so there’s no need to include them here. /downloads is included so users can download the Horizon Client from the Horizon 6 Connection Server.

      1. I appreciate the help you are providing! I set proxy pattern to “/|/downloads(.*)”. What else do I need to do? Do I need to upload the client to a certain directory? Do users go to myconnserver.corp.com/downloads/ to access the clients?

  23. So it seems like I need a third load balancer config now… let me know if I am just wrong here. In the environment I am building they want to use RSA for externally connecting users. This forces me once again to have separate collection of connection servers for internal and external access. So I have the load balancer for the internal users to the two internal connection brokers… no problem there. I have the load balancer for the external users to hit the two access points and since the access points can now communicate with both the connection servers that have RSA enabled I need a third url and a third load balancer between the access points and those two connection servers? Or am I crazy? Or I can stick with the old one to one relationship between the security server (now Access point) I assume on that scenario the Access point is smart enough to reject traffic if its connection server is down?

    1. I can’t think of any reason why you can’t point Access Point to a single Connection Server. But you’d need to configure your Access Point load balancer to monitor the RSA-enabled Connection Server too so if Connection Server goes down then the “paired” Access Point is also taken down. It’s probably easier to just load balance the second pair of Connection Servers and point the APs to that VIP.

  24. Hi Carl,

    Have you tried a 2-arm or “2 NIC” deployment with the Access Point? Especially configuring routing for the appliance?


    1. I have not. I question the benefit of that configuration. With two-arm, you’re trusting the appliance to provide firewall services between the two security zones. Most enterprises prefer to use real firewalls for that purpose and thus one-arm is the more secure approach.

  25. Carl,

    How would this work if internally I am using a Microsoft CA (domain.local) for my connection servers and externally use a Public CA for the .com certificate? What cert would i push with the put command, and what thumbprint should i use?

    1. You upload whatever certificate that matches the name users will enter to access Horizon View remotely. Typically it’s a certificate that is signed by a public CA.

      The thumbprint should be from whatever certificate is installed on your View Connection Servers or load balancer. If you have multiple View Connection Servers then you have a load balancer with a cert on it and that’s the thumbprint you need. I think you can also enter * as a wildcard to trust all thumbprints.

      1. Hi Carl,

        Rightly so you can indeed enter * into the thumbprint however it is very much frowned upon. From the latest VMware Technical enablement WebEx on AP they will be doing away with the * ability in the next release of AP as it allows for MITM attacks.

  26. Thank for this Carl!
    How would you integrate this with Identity manager (a F5/NS LB pair)? Would the View URL point to the identity manager (Identity.corp.local) instead of “view.corp.local” ?

    1. I don’t think Identity Manager is supported through Access Point yet. In Identity Manager, you’d point the Network Range View URL to the Access Point URL. I expect a future version of Access Point to merge both products.

  27. Oh – One further thing! May or may-not be a bug, but after OVF deployment through the conventional vSphere 5.1 Client I was unable to communicate to the appliance. (The IP-Pools were configured beforehand with Subnet and Default Gateway)

    The only way I got it to work was by deleting the IP Pool and deploying the OVF from the Web Client only, which creates the IP pool for you. (I compared the one created by the Web Client and it was the same as the one i created) the deployment success just depended on the Web Client to roll out.

    May not be an issue on 5.5 or 6.0 but that’s what i seen on 5.1

  28. Thanks for this Carl, I used both your blog and the Powershell application to configure the appliance. Quite complicated but got their in the end. Awesome that the Access Point no longer need JMS so it can be in a different datacenter than the View Connection Servers.

    You don’t know of a script to do the Certificate piece at all?

Leave a Reply