chrischay
Contributor
Contributor

Web Client/Horizon Client SSL Certificate

Hi,

Do I need a public CA if I want to access my virtual desktops from public/internet using Horizon Client or Web(HTML) client? I have an Enterprise CA that I tried to use but whenever I access my virtual desktops from public/internet it still shows untrusted.

Any idea?

Thanks,

0 Kudos
7 Replies
a_p_
Leadership
Leadership

You either need to have a certificate from an official CA, or distribute your CA's root, and intermediate certificated your clients, so that they can import them to their certificate store, thus trusting the Horizon certificate. It's also possible to only distribute the root certificate, and combine the intermediate certificate with the one that you configure on the Horizon server.

André

0 Kudos
chrischay
Contributor
Contributor

How do you exactly do this? I'm not very familiar with distributing CA's.

Thanks,

0 Kudos
a_p_
Leadership
Leadership

Just to clarify the wording: It's not the CA (Certificate Authority) that you want to distribute, but just certificates.

I don't want to confuse you with technical details, so here are the steps in short, assuming the you are using a WIndows OS:

  • run mmc.exe, and add the "Certificates" snap-in for the Computer account.
  • find your Enterprise-CA's root certificate, and export it as Base64 CER file
  • in case the Horizon certificate has been signed by an intermediate CA, do the same for the intermediate certificate

The exported CER Files are basically small text files.

Now import these certificates on a system that doesn't already have them (i.e. the ones outside of your enterprise) so that the Horizon certificate will be trusted.


André

0 Kudos
chrischay
Contributor
Contributor

I did as per your suggestions and somehow still not trusting it.

0 Kudos
a_p_
Leadership
Leadership

What you may try to find out what may be wrong, is to open the public https:// URL from a client device, and check the certificate chain from the address bar.

André

0 Kudos
ggordon
VMware Employee
VMware Employee

There is a feature on the Horizon Connection Server that helps overcome these constraints. You can configure the use of the Blast Secure Gateway to provide secure access to remote desktops and applications only when HTML Access is used locally.

For an internal, HTML Access connection, the Blast protocol traffic session is routed through the Connection Server and is presented with its SSL certificate. This removes the need for the virtual desktop to have a verifiable SSL certificate.

See https://techzone.vmware.com/resource/understand-and-troubleshoot-horizon-connections#HTML_Client_Acc... for details on this and how to configure.

 

0 Kudos
chrischay
Contributor
Contributor

Actually the problem was that the hash algorithm that i am using was not very strong. I used SHA1. So I generated a new SSL certificates with hash algorithm using SHA256 and after that all the browsers and the horizon client are now trusting it.

 

 

0 Kudos