in a new horizon 7.5 deployment, we have configured load-balanced UAGs for external access pointing to load-balanced connection servers. All the certs seem to be in place. I am using split dns, with external pointing at the UAG's, internal pointing at the connection servers.
From external, there are no certificate errors when connecting using the view client or html. Everything works as expected.
From internal, there are no certificate errors when using the view client.
From internal when using html there are no certificate errors until the deskop is selected. On initial connection to the vdi it shows the vdi's ip address port 22443. Since there is no certificate with matching the ip address, there is a certificate error, which can be accepted. After acceptance, the url flips back to the connection server load-balanced URL (what the user used to connect to horizon) and the cert is accepted.
I'm wondering if it is because on the horizon connection server, View Configuration, Servers, Connection Servers, Edit, General Tab, to use the UAG with reverse proxy, I need to uncheck all the external URL boxes.
This issue goes away if I point the internal (of the split DNS) to the internal ip of the UAG Load-balancer but I am concerned about traffic and sending internal traffic to the dmz to come back in.
All certs used are public and there is no internal CA.
The issue is that the self-signed HTML Access cert that is generated when the Horizon Agent is installed is being presented to the client. I know of three ways to solve this.
Configure HTML Access Agents to Use New TLS Certificates
When connecting to a View virtual machine using Blast, SSL Session is invalid (2088354)
The issue is that the self-signed HTML Access cert that is generated when the Horizon Agent is installed is being presented to the client. I know of three ways to solve this.
Configure HTML Access Agents to Use New TLS Certificates
When connecting to a View virtual machine using Blast, SSL Session is invalid (2088354)
Thanks, that is what I suspected was going to be the response. Unfortunately, a wildcard is not really an option, so that leaves dedicated Connection servers or put everyone through the UAG's.
Thanks again.
not solved with your solutions!!