Hi everybody !
I'm planning to install vmware view 6.1 with two connection server on the LAN and one security server on the DMZ.
I'm wondering which names do i need on the certificate ?
my connection server names will be VDI1.MyDomain.Local, VDI2.MyDomain.Local
my security server will be VDI3 (not domain joined server)
my a-record on my public DNS is view.MyDomain.com which direct to the security server.
I have Internal CA server that can issue certificate for VDI1.MyDomain.Local and VDI2.MyDomain.Local.
I have a wildcard certificate for *.MyDomain.com (it doesn't contain any of my internal server names)
1. can I use my wildcard certificate to connect to the security server without any error ?
2. where do i install the wildcard cert? on the security server and all the connection server ?
3. what if i want to connect to VDI from internal network do i need to install my internal CA certificate with the internal names to my connection servers ?
4. because my connection server will be connected both internally and externally, will it use the internal cert (VDI1/2.MyCompany.local) for internal connection and the external cert (*.MyDomain.com) for external connection ?
Thank you.
Taylor.
I do not recommend to use a wildcard certificate on connection servers.
Instead you can issue one certificate for each connection server: VDI1.MyDomain.Local and VDI2.MyDomain.Local
This way the connection will be trusted when connecting from inside.
From internet you will connect to the security server only, so you only need a trusted certificate installed on the security server.
If you issue a certificate from your CA, it will work but clients connecting from internet will not trust that certificate.
If you want a certificate trusted by everyone connecting from internet, you have to buy a certificate from a certificate authority like verisign etc
In both cases, the certificate should be issued with name: view.MyDomain.com and installed on the security server only.
Hope this helps
Regards,
Claudio
I do not recommend to use a wildcard certificate on connection servers.
Instead you can issue one certificate for each connection server: VDI1.MyDomain.Local and VDI2.MyDomain.Local
This way the connection will be trusted when connecting from inside.
From internet you will connect to the security server only, so you only need a trusted certificate installed on the security server.
If you issue a certificate from your CA, it will work but clients connecting from internet will not trust that certificate.
If you want a certificate trusted by everyone connecting from internet, you have to buy a certificate from a certificate authority like verisign etc
In both cases, the certificate should be issued with name: view.MyDomain.com and installed on the security server only.
Hope this helps
Regards,
Claudio
Thank you vary much for your quick answer Claudio,
Just to make sure, you are saying that for external users i only need one third party trusted Cert for the security server and that's it ?
My wildcard certificate is from GoDaddy so it is trusted to the outside world, the wildcard is for my external domain *.MyDomain.com, so can I use this certificate for the Security Server ? no need any inernal names (server.MyDomain.local) in that certificate ?
Thanks!
MindU_Talor,
Your wildcard certificate will work fine in this case. I used a wildcard cert myself for my Security Servers. There is no need for internal names on the certificate.
Exactly, you are right. Just install the wildcard certificate on the security server and you're done.
There's no need to have any alternative name in the certificate referring to the connection servers.
Cheers
I think I am in the same sort of situation, but still confused as all <insert favorite expletive>
My view environment consist of three virtual servers.
1 connection server
1 security server
1 composer server
Connection Server
fqdn in windows AD is:
View-Conn.domain.local
10.10.144.47
internal DNS resolves…
View-Conn.domain.local
to
View.domain.local
So using the URL
internal users are able to log in and get a desktop securely and I can administer securely is I using the url
https://view.domain.local/admin
To make all of this secure, what I did was…
On this connection server I have installed under “Private” a secured certificate under the name of
View.domain.local
Now, I am not a certificate expert and I hate dealing with these… but the certificate I got from Go Daddy… it allows me to also create “5 SAN” names…
again, IDK, so what I did was.. tied to this same certificate I created 4 more additional SANs:
So, I am not sure if I did it right but now when I log into the administrator console
So, my first question is this...
Did I do everything correct up to this point?
Because I am receiving errors when attempting to log in via WYSE terminal...
when I attempt to connect to my connection server via a WYSE terminal
when I supply
view.domain.local or ServerName.domain.local as the connection server name...
I still receive a certificate error...
even though the cert details contain correct information. including SAN names
What am i missing? any thoughts?
It is possible your WYSE terminal may not trust the Go Daddy CA. Access the WYSE client via the Web UI and update it to trust the Go Daddy CA cert. You can also accomplish this with the PCoIP Management Console.