matthewgONCU
Enthusiast
Enthusiast

Connection server public cert?

Jump to solution

A little background. We have the following

Two pods (one at each datacenter)

Four Connection servers (two at each pod)

Round Robin DNS name (local) for users to connect to

Local users only

Remote users connect via VPN (no UAG)

This has been working well for us. However we are having more and more departments permanently working from home so those users are transitioning to VDI. Since those users are using non-domain joined thin client laptops, they do not trust the connection servers local CA signed cert. Management does not want user to connect with out VPN access so we aren't using a UAG. We purchased a single hostname cert vdi.DOMAIN.COM. The plan was to simply replace the cert on all the servers with this and change the friendly name to vdm for this new cert. However this didn't go as planned as we were getting SSL errors on the client. I then found this setting:

However in the information name, it says that the URL name must not be load balanced. I assume even a round robin would be considered load balanced so I'm not sure the correct way to proceed. Do we need to deploy a UAG even if it's only accessible on the inside? Is there a better way of doing this or am I missing something?

1 Solution

Accepted Solutions
matthewgONCU
Enthusiast
Enthusiast

I realized I never came back to mark a solution. I found another thread that when importing the cert, you have to make the cert private key as exportable. I deleted the key from the store and reimported but this time I marked the private key as exportable. Not sure why that mattered, but it did. ONce I did that it accepted the cert without a problem.

However I may look into adding an internal UAG in the future for ease of cert renewals.

View solution in original post

0 Kudos
9 Replies
a_p_
Leadership
Leadership

Since those users are using non-domain joined thin client laptops, they do not trust the connection servers local CA signed cert.

To make sure that I understand this correctly. The Thin Clients connect to the company through VPN, correct?

If so, why don't you simply add your company CA's Root (and Subordinate) certificates to the thin client's certificate store, so that they are trusted, and therefore trust the connection server's certificates?

André

0 Kudos
sjesse
Leadership
Leadership

the ssl errors I'm guessing are coming from the desktops, do you have the secure gateways enabled on the conneciton servers. If you don't the horizon client connects directly to the virtual machines, and this will give ssl errors since each vm doesn't have an SSL cert.

0 Kudos
matthewgONCU
Enthusiast
Enthusiast

We can do that but we want to avoid because the thin clients are already deployed with write filters enabled so I’m even if we remote and load the cert it won’t survive the next reboot. We were hoping to use a trusted cert to prevent this.

0 Kudos
matthewgONCU
Enthusiast
Enthusiast

The ssl error is coming up one the horizon client when attempting to connect to the connection servers.

0 Kudos
sjesse
Leadership
Leadership

Whats the exact error, feel free to blank out the name, but the error is important.

0 Kudos
matthewgONCU
Enthusiast
Enthusiast

I'm going to try again tonight after business hours and collect the screen shots again.

0 Kudos
sjesse
Leadership
Leadership

You may need to chain your cert if it has a intermediate ca that might not be trusted. This requires you to take both files and combine them in one 

BarryUWSEFS
Enthusiast
Enthusiast

You can deploy a UAG internally and give it a 3rd party cert that your clients will recognize. Might be simpler then other solutions. Not just sure how your VPN is implemented,  but in our case our UAG is internal but we have also have port 443 open to it with a public IP address. So although our clients can connect without VPN, we also use VPN for other access and Horizon access works well with the VPN.

0 Kudos
matthewgONCU
Enthusiast
Enthusiast

I realized I never came back to mark a solution. I found another thread that when importing the cert, you have to make the cert private key as exportable. I deleted the key from the store and reimported but this time I marked the private key as exportable. Not sure why that mattered, but it did. ONce I did that it accepted the cert without a problem.

However I may look into adding an internal UAG in the future for ease of cert renewals.

0 Kudos