The documentation isn't clear about how to replace the self-signed UAG certificates. My goal is to have external clients connect to https://vdi.company.com and have the certificate be trusted. When they connect to https://vdi.internalcompany.com when they are in the office, the certificate there will also be trusted.
I already replaced the connection server certificates, and https://vdi.internalcompany.com shows up as trusted from the Horizon Client and a browser.
However for the external certificate, where do you configure it? Under "Blast Proxy Certificate", "Tunnel Proxy Certificate", or "Trusted Certificates" (these are listed under the UAG > Horizon Settings):
Here for most cases
The blast proxy cert is needed if
"If the user manually uploads the same certificate for the Unified Access Gateway to the load balancer and needs to use a different certificate for Unified Access Gateway and Blast Gateway, establishing a Blast desktop session would fail as the thumbprint between the client and the Unified Access Gateway does not match. The custom thumbprint input to Unified Access Gateway or Blast Gateway resolves this by relaying the thumbprint to establish the client session"
Here for most cases
The blast proxy cert is needed if
"If the user manually uploads the same certificate for the Unified Access Gateway to the load balancer and needs to use a different certificate for Unified Access Gateway and Blast Gateway, establishing a Blast desktop session would fail as the thumbprint between the client and the Unified Access Gateway does not match. The custom thumbprint input to Unified Access Gateway or Blast Gateway resolves this by relaying the thumbprint to establish the client session"
With two UAG appliances in an HA pair, do I need to specify anything additional in the certificate other than https://vditest.company.com in the Common Name and SAN fields?
Selecting the Correct Certificate Type
"For example, three certificates might be issued for the Unified Access Gateway appliances that are behind a load balancer: ap1.example.com, ap2.example.com, and ap3.example.com. By adding a Subject Alternative Name that represents the load balancer host name, such as horizon.example.com in this example, the certificate is valid because it matches the host name specified by the client."
Above this seems to be saying that you only need the CN and SAN fields to match the FQDN of the external URL.
No I think you need both uag fqdn names in the cert as sans, and the full name. HA doesn't load balance the blast or pcoip connections, so users will connect to the UAGs directly so they need to be in SAN fields
Ok thank you. The FQDNs for the UAG appliances need to be this?
vditest.company.com
uag1.company.com
uag2.company.com
Instead of this:
vditest.company.com
uag1.internalcompany.com
uag2.internalcompany.com
For the public DNS records, can I just have one public IP address? Eg:
vditest.company.com [4.4.4.4]
uag1.company.com [4.4.4.4]
uag2.company.com [4.4.4.4]
And that public IP address has a NAT rule that resolves to the internal UAG VIP IP address? I'm not clear on how external clients will connect to the UAGs directly.