Last week a customer asked me to look at a strange problem they experienced with the VMware Access Point appliance.

They installed a new greenfield environment with VMware Horizon View 7.0.1 and decided to not use the VMware Security Server, but to use the VMware Access Point, version 2.5.1.

This is a very good decision because VMware will put all development investments in the Access Point appliance, which eventually means that View Security Server will probably be phased out or deprecated in the near future.

About the problem. After installing the Access Point appliance, we noticed the appliance was not reachable via the internet, or via the management interface (REST API) on port 9443.

Strange thing was, we where able to ping the appliance with a test VM that we created in the same subnet, but  both user portal and management interface where still not reachable. Also, from the console view of the appliance we where able to ping the default gateway. The network department started a trace and noticed there where no packets being dropped or blocked.

We tried several things for the appliance deployment:

Instructions how to deploy the Access Point are very well explained in Carl Stalhood’s blog.

After all these tests, we decided to examine the log files from the appliance. Because we didn’t have access to the management interface REST API, we had to look from the console view. The log files for the Access Point are documented here.

We did a “grep” on “error” for /opt/vmware/gateway/logs/admin.log. This showed the error “Invalid thumbprint format“, as shown in this screenshot:

Capture

When installing the appliance, we used the option “Horizon server thumbprints“. This means you’ll have to specify the certificate thumbprint from the certificate Load Balance VIP (or single Access Point appliance) during the installation. The thumbprint can be seen when looking at the properties of the certificate file. Again, see Carl Stalhoods blog for more information!

Capture2

We where 100% sure we configured the tumbprint information correctly during the installation. We did a quick test without the thumbprint information, this way the Access Point will use a self-signed certificate after installation.

We now noticed we where able to connect to the appliance, both user portal an management interface! Problem partially solved! 🙂

To manually install the certificate after deployment, you must prepare your certificates to create “one-liners” from the certificate file. After this use the REST API to add the certificates to the Access Point configuration.

So to conclude, configuring the certificates after deployment completely solved the problem!