Re: View Security Server certificate issue

wframe · ‎07-25-2012

Hi all,

I have the following setup:

Security server:

Hostname is secname.domain.org
available through view.website.org
certificate for *.website.org

Connection server:

Hostname is conname.domain.org
certificate for *.domain.org

View Administrator:

Security server = secname
- Security server external URL = https://secname.domain.org:443
- PCoIP External URL = (IP of secname:4172)
Connection server (paired) = conname
- External URL = https://conname.domain.org:443
- Use Secure Tunnel connection to desktop checked
- PCoIP External URL = (IP of conname:4172)
- Use PCoIP sec gateway for PCoIP connections to desktop checked

Functionally, I have no issue. I can get in, but I get a warning. This happens:

1.) Open view. Type in view.website.org. HTTPS shows a green indication, all good!

2.) Type in credentials, click connect

3.) VMware View cannot verify the identity of the tunnel server you have contacted. Your desktop sessions will not be secure... Show certificate shows view.website.org cert info

Your insight would be greatly appreciated! I'm a bit new with certificates, am I missing something?

markbenson · ‎07-25-2012

What version of View Connection Server and Security Server? Is this 5.1?

Which View Client are you using and what version is it?

Thanks

wframe · ‎07-25-2012

The infrastructure is running View 4.6, the client is View 5.1

If it helps, here is the workflow I described:

markbenson · ‎07-25-2012

OK - it's the version mismatch that is causing this warning.

With a View 5.1 Connection Server and Security Server a certificate thumbprint (of the Security Server SSL Server Cert) is passed down to the client for it to be able to validate the certificate when making the secondary Secure tunnel connection (after authentication). Without this thumbprint (in versions older than 5.1) the destination URL used for the secure tunnel connection would need to use a name that matched your certificate name or certificate alt name. In your case the certificate name is *.website.org and the destination URL name is secname.domain.org and so a mismatch is detected and hence you get the warning. The Security Server identity can therefore not be verified.

You could do one of the following:

1. Set the External URL to secname.website.org so that tunnel connections will match the cert wildcard. This may need DNS changes so that this External URL is usable by the client.

2. Add secname.domain.org to the cert.

3. Upgrade Connection Server and Security Server to 5.1.

I assume you have a load balancer in front of the Security Servers which is why you don't have your External URL set to view.website.org

Mark

iamxCPx · ‎01-28-2013

Hi Mark,

I just experienced something similar.

This is what we have.

OUTSIDE FIREWALL - DMZ

Security server:

External URL: my.view.com
certificate for my.view.com issued by GoDaddy
PCoIP External URL: Public IP: 4172

INSIDE FIREWALL

Internal Connection server:

HTTPS Secure Channel - External URL: https://external-cs.domain.local:443
certificate for external-cs.domain.local issued by local Active Directory CA
PCoIP Secure Gateway - External URL: external-cs Internal IP:4172

Firewall has been set correctly to for traffic from Security --> Connection Server.

With this configuration the external client will not connect.

It'll get to the Username and Password section.

Establishing Secure Connection...

And then gave me the error:

The View Connection Server authentication failed. A secure connection to the server '(null)' cannot be established.

What's weird is that the configuration above is exactly the same as the one that I have on the View 5.0.1 environment and it worked there.

The only I can think of is the SSL certificate.

On the View 5.0.1, back then I was able to add internal host name on the GoDaddy certificate but since they have a new policy now, they no longer allowed anyone to include internal host name to the certificate. So it needs to be an external name only listed on the certificate.

Just for a kick, I try changing the connection server "HTTPS Secure Channel - External URL" to match the Security server which my.view.com and it worked for a session. I was able to connect to the desktop.

After about 10-15 minutes, I disconnect.

Then tried it again, and it failed.

I checked the View Administrator, it says that mismatch certificate on the connection server.

My question is do I need to revoke the internal certificate that was authenticated by local CA and install the external certificate that matched the security server?

So both the security server and internal CS will use the same certificate or I just need to make the internal CS to have an external name and issue its own cert from GoDaddy?

Will that be the solution on this?

Remember, they don't allow anyone to use internal name server and domain name on SSL cert.

Much appreciate your input.

Thanks.

markbenson · ‎01-29-2013

Your Security Server external URL is wrong. It should be https://my.view.com:443 where the hostname resolves to the public IP address of your Security Server. - see http://communities.vmware.com/docs/DOC-14974 for more details. The video at the bottom goes through this whole setup step by step

With the way you have set it up, the client will be attemping an HTTP tunnel connection on port 80. This is wrong. This is not related to certificates.

Mark

iamxCPx · ‎01-30-2013

Thanks Mark.

I'll check the links the you have.

And my apology, that's what I have for the external URL on the security server.

https://my.view.com:443

Typo error.

Thanks.

Ah,

I actually already did check out the video when I deployed 4.6 and left a few comments back then.

Just wondering if 5.1 is a bit different to setup. But if not, I must have something not setup correctly on the firewall.

markbenson · ‎01-31-2013

5.1 is the same. Check the 3 steps very carefully. Most people who have incorrect settings fix it by following these 3 steps.

Let us know what it was.

Mark

All

View Security Server certificate issue