VMware Horizon Community
HendersonD
Hot Shot
Hot Shot
‎03-17-2013 10:48 AM

Split DNS and SSL certs

Security Server - we purchased a cert, view.victorschools.org, from GoDaddy. External DNS entry for view.victorschools.org points towards 209.68.96.26

  • District owned device off campus works fine
  • Personal device off campus works fine

Broker - we have an internal Windows CA setup and issued a cert with a name of broker.vcs.local and a Subject Alternative Name (SAN) of view.victorschools.org. Internal DNS entry for broker.vcs.local and view.victorschools.org points toward 10.121.125.107

  • District owned laptop or desktop - view client works fine since these machines are setup to trust our Windows CA
  • Personal devices such as PC laptops, Mac laptops, or iPads - this is where the issue is. When one of these devices attempts to connect using view.victorschools.org which internally points towards our Broker server, they get a cert mismatch error. Even though the cert has a SAN of view.victorschools.org for whatever reason it picks up on broker.vcs.local.

How is split DNS and certs handled correctly? I want to point clients towards view.victorschools.org whether they are internal/external or district owned/personal and have it just work. I could have them turn off certificate verification in the client but this is one more thing a person would have to do. I am not even sure if cert checking is somethign that can be turned off on the iPad client.

Reply
0 Kudos
3 Replies
SimonLong
VMware Employee
VMware Employee
‎03-18-2013 05:24 AM

The latest version of the View Client v2.0 for iPAD now has the option to turn off certificate validation.

As for the original question, I'm not sure I can help with that.

Visit My Blog, The SLOG at: http://www.simonlong.co.uk
Reply
0 Kudos
HendersonD
Hot Shot
Hot Shot
‎03-18-2013 05:38 AM

Thanks for the reply. While turning off cert validation will work, I would really like to make this work without having to do this

Reply
0 Kudos
Phil_Helmling
VMware Employee
VMware Employee
‎10-28-2013 05:54 PM

You need to add a SAN for your connection server(s) into the view.victorschools.org cert as View will only use one certificate, the one with the "vdm" friendly name. Todo this you will need to purchase a UCC or multi-use certificate. The other issue you will have though, if you have two connection servers, one paired with the security server and another accepting internal traffic, is that your internal split DNS will be pointing to the external and therefore routing all internal requests for view.victorschools.org to your external. The only way I've found around this is to add host file entries on the Security Server and paired Connection Server for the external IP for the external DNS. Hope that makes sense.

Phil

Reply
0 Kudos