Horizon Edge Scan runs checks against the externally resolvable hostname used by your Unified Access Gateway. It will return back 7 to 9 datapoints, depending on whether current Qualys SSL Lab scans are obtained. Here's a breakdown on each data point, their significance and recommended follow up.
1.) Hostname Resolution:
This one is pretty self explanatory. Without a resolvable hostname, the scan wont proceed. 2.) Pingable:
Good to know, but not absolutely necessary. Plenty of firewalls block ping status and if it's blocked it's not a show stopper. Still it's good to know and always nice to have ping to explore with if it's an option.
3.) TCP Port 443 Open:
No grey area here. If 443 isn't open, you're pretty much done. Unless you've enabled UDP Tunnel Server, which isn't typical or necessarily recommended, a blocked TCP 443 port is the kiss of death.
Some manual ways to test port connectivity remotely are telnet, curl or PowerShells test-netConnection:
telnet ip_address 443
curl -v telnet://ip_address:443
Test-NetConnection ip_address –port 443
4.) UAG Landing Page:
Testing positive for the Horizon landing page is a very auspicious sign. It's an indication not only of sound network communication to the UAG appliance, but also of the connection between UAG and a Horizon Connection server. Further, it's confirmation that either the Connection Server URL either has a publicly trusted SSL cert or that UAG appliance has a properly configured Connection Server URL Thumbprint. A lot has gone right for this test to go well. (Note: It's not common, but some organizations disable the Horizon landing page, which could also be a reason for a negative response.)
Test-NetConnection ip_address –port 443
4.) UAG Landing Page:
Testing positive for the Horizon landing page is a very auspicious sign. It's an indication not only of sound network communication to the UAG appliance, but also of the connection between UAG and a Horizon Connection server. Further, it's confirmation that either the Connection Server URL either has a publicly trusted SSL cert or that UAG appliance has a properly configured Connection Server URL Thumbprint. A lot has gone right for this test to go well. (Note: It's not common, but some organizations disable the Horizon landing page, which could also be a reason for a negative response.)
A manual way to check for this is point your browser to to the UAG appliance, or the curl command:
curl -v -k https://uag_hostname
5.) HTTPS Request To UAG Appliance:
While the previous Horizon landing page check ignores SSL, this request attempts to make a completely secure connection to the UAG appliance. A successful 200 response indicates the request is made securely and that the SSL cert on the UAG appliance is issued by a Mozilla trusted certificate authority. Coupled with a visible Horizon landing page, a 200 response here is very promising sign.
Like the previous check, the manual equivalent is either pointing your browser to the external URL of their UAG appliance or executing the curl command again. This time without the -k, as we are confirming that a secure SSL based connection is working.
curl -v https://uag_hostname
curl -v https://uag_hostname
6.) Qualys SSL Server Test Grade:
While Horizon Edge Scan checks for and diagnosis basic SSL challenges, Qualys SSL Server Check can provide deep analysis of the SSL cert in use on the UAG appliance. This can help with the diagnosis of tricker SSL challenges or with general security hardening.
Horizon Edge Scan first reaches out to the Qualsys API to see if any scans are already cached for the targeted UAG URL. If it finds one, it will display the grade associated with the scan along with the scan time. The grades typically range through from A to F, but can go as far down as T (I think) if you really mess things up. Here's a break down of the ratings:
https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide
According to some folks there's no reason you shouldn't have an A+ for your UAG appliance. However, "B's get degrees," baby, and for that matter, I believe even a D grade would be good enough for some connections. M's and T's on the other hand aren't going to cut it.
7.) Qualys SSL Server Scan Time Grade:
This tells you when the scan was executed. If you want newer scan results click the button for, "Request Fresh Qualys SSL Server Scan," or navigate directly to https://www.ssllabs.com/ssltest/ and execute the scan from there.
8.) Port TCP 8443 Open:
By default, the Blast External URL with be port 8443 on the UAG appliance. While this is not always the case, it's usually the configuration used for simple first time deployments and POCs. Accordingly, this utility does a check against TCP 8443 on the high probability it's been used for the Blast External URL.
Like TCP port 443 testing, commands like these will do the trick:
telnet ip_address 443
curl -v telnet://ip_address:443
Test-NetConnection ip_address –port 443
9.) SSL Connectivity To 8443:
The Blast port on UAG will leverage the same SSL cert as the Horizon Primary protocol. So if Blast is running on 8443, the same SSL cert will be available as is used on 443. Accordingly, the utility validates that port 8443 uses the same cert.
curl -v telnet://ip_address:443
Test-NetConnection ip_address –port 443
9.) SSL Connectivity To 8443:
The Blast port on UAG will leverage the same SSL cert as the Horizon Primary protocol. So if Blast is running on 8443, the same SSL cert will be available as is used on 443. Accordingly, the utility validates that port 8443 uses the same cert.
A manual equivalent of this command would be through leveraging openssl.
openssl s_client -connect myhorizon.vmware.com:8443
openssl s_client -connect myhorizon.vmware.com:8443
An Ideal Scan
In an ideal scan where everything has tested positive, we've validated an awful lot without ever having to get under the hood. We know that network communication between the client and UAG appliance is functional, we know SSL is good and we're aware of successful communication between the UAG appliance and internal Connection server.
I call this an excellent start. If your using the default of passthrough authentication into your Horizon environment, a successful Horizon Primary Protocol connection is almost guaranteed. A user is highly likely to authenticate correctly and at least have their entitlements presented to them. On the other hand, save for ping, any negative results indicate that the glowing paths above are at risk and require further investigation.
No comments:
Post a Comment