Hi,
We have a closed environment so no access to the internet.
We do not have a internal CA, so we need to order a certificate from a certificate vendor.
What kind of certificate could we order, so that the clients that connect to the environment can trust the solution ?
If our domain is named private.local is that ok, or do we have to have like private.com ?
Is it ok with a wildcard certificate ?
Any good articles is also appreciated.
Thanks for reply
/R
Andreas
Is this production or a lab? You will be vulnerable to a MiTM but you could turn off SSL checking if this is a air gaped/protected network and you don't have any compliance requirements to have certificates.
If that won't work you will need to purchase a external domain name (e.g. company.com) to then purchase a SSL cert for that domain (e.g. vdi.company.com). You will then use split DNS to point vdi.company.com to your load balancer or connection servers.
In November of 2015 the CA/Browser Forum (CA/B) published that public certificate authorities were supposed to stop issuing certs for internal names or private IP addresses after July 1, 2012.
Guidance on Internal Names - CAB Forum
Internal Server Name SSL Certificate Issuance After 2015
Replace Your Certificates for Internal Names | DigiCert Blog
You just need a simple web server cert installed on the connection servers for something like vdi.example.com using a public domain that you own.
If you have two connection servers (cs1.company.local and cs2.company.local) you could purchase a single web server cert named vdi.company.com with SAN entries for vdi.company.com, cs1.company.com and cs2.company.com (Do this regardless of if you have a load balancer). Then install that cert on the load balancer (skip this if you don't have one), both connection servers and configure split DNS to resolve vdi.company.com to the internal IP of the load balancer, cs1.company.com to the internal IP of cs1 and cs2.company.com to the internal IP of cs2. You should not create public DNS entries that resolve to the private IP address. Replacing the SSL certificate is just a matter of importing it into the cert store on each connection server, removing the "vdm" friendly name from the existing cert, adding the "vdm" friendly name to the new cert and restarting the connection server services.
Hi,
Thanks for reply, and good links.
Do you own a external domain that you can purchased a SSL cert for but only use internally with split DNS?
- No this is a closed small domain with only 2 domain controllers, some file servers, horizon view installation, and 20 clients.
- There is absolutely no access to the internet, and there will not be either.
How many connection servers do you have?
- There are 2 connections servers
Do you have a load balancer?
- No
Is tunneling enabled on the connection servers?
- No
What display protocol are you using (Blast, PCoIP)?
- PcoIP
What clients do you use (Horizon Client, Zero/Thin client, HTML access)?
- Thin client
If I understand this correctly there is not a solution longer to order a SSL certificate for a private.local domain ? I must change it to private.com for example ?
Or am i misunderstanding ? Certificates are not my strongest area.
So what are my options ?
Is this production or a lab? You will be vulnerable to a MiTM but you could turn off SSL checking if this is a air gaped/protected network and you don't have any compliance requirements to have certificates.
If that won't work you will need to purchase a external domain name (e.g. company.com) to then purchase a SSL cert for that domain (e.g. vdi.company.com). You will then use split DNS to point vdi.company.com to your load balancer or connection servers.