VMware Horizon Community
nsousaarlington
Enthusiast
Enthusiast
‎08-06-2020 01:45 PM
Jump to solution

Unified Access Gateway 3.9 - External Certificate

The documentation isn't clear about how to replace the self-signed UAG certificates. My goal is to have external clients connect to https://vdi.company.com and have the certificate be trusted. When they connect to https://vdi.internalcompany.com when they are in the office, the certificate there will also be trusted.

I already replaced the connection server certificates, and https://vdi.internalcompany.com shows up as trusted from the Horizon Client and a browser.

However for the external certificate, where do you configure it? Under "Blast Proxy Certificate", "Tunnel Proxy Certificate", or "Trusted Certificates" (these are listed under the UAG > Horizon Settings):

pastedImage_0.png

Tags (3)
0 Kudos
1 Solution

Accepted Solutions
sjesse
Leadership
Leadership
‎08-06-2020 01:52 PM
Jump to solution

Here for most cases

pastedImage_1.png

The blast proxy cert is needed if

Configure Horizon Settings

"If the user manually uploads the same certificate for the Unified Access Gateway to the load balancer and needs to use a different certificate for Unified Access Gateway and Blast Gateway, establishing a Blast desktop session would fail as the thumbprint between the client and the Unified Access Gateway does not match. The custom thumbprint input to Unified Access Gateway or Blast Gateway resolves this by relaying the thumbprint to establish the client session"

View solution in original post

0 Kudos
4 Replies
sjesse
Leadership
Leadership
‎08-06-2020 01:52 PM
Jump to solution

Here for most cases

pastedImage_1.png

The blast proxy cert is needed if

Configure Horizon Settings

"If the user manually uploads the same certificate for the Unified Access Gateway to the load balancer and needs to use a different certificate for Unified Access Gateway and Blast Gateway, establishing a Blast desktop session would fail as the thumbprint between the client and the Unified Access Gateway does not match. The custom thumbprint input to Unified Access Gateway or Blast Gateway resolves this by relaying the thumbprint to establish the client session"

0 Kudos
nsousaarlington
Enthusiast
Enthusiast
‎08-06-2020 02:39 PM
Jump to solution

With two UAG appliances in an HA pair, do I need to specify anything additional in the certificate other than https://vditest.company.com in the Common Name and SAN fields?

Selecting the Correct Certificate Type

"For example, three certificates might be issued for the Unified Access Gateway appliances that are behind a load balancer: ap1.example.com, ap2.example.com, and ap3.example.com. By adding a Subject Alternative Name that represents the load balancer host name, such as horizon.example.com in this example, the certificate is valid because it matches the host name specified by the client."

Above this seems to be saying that you only need the CN and SAN fields to match the FQDN of the external URL.

0 Kudos
sjesse
Leadership
Leadership
‎08-06-2020 03:03 PM
Jump to solution

No I think you need both uag fqdn names in the cert as sans, and the full name. HA doesn't load balance the blast or pcoip connections, so users will connect to the UAGs directly so they need to be in SAN fields

0 Kudos
nsousaarlington
Enthusiast
Enthusiast
‎08-07-2020 06:30 AM
Jump to solution

Ok thank you. The FQDNs for the UAG appliances need to be this?

vditest.company.com

uag1.company.com

uag2.company.com

Instead of this:

vditest.company.com

uag1.internalcompany.com

uag2.internalcompany.com

For the public DNS records, can I just have one public IP address? Eg:

vditest.company.com [4.4.4.4]

uag1.company.com [4.4.4.4]

uag2.company.com [4.4.4.4]

And that public IP address has a NAT rule that resolves to the internal UAG VIP IP address? I'm not clear on how external clients will connect to the UAGs directly.

0 Kudos