There is something missing in the information provided.

From the title I suppose you are using the F5 to load balance the two security servers, right?

So, how do the users connects? Do they use an alias that points to the IP configured in the F5? (for example: view.domain.com)

Which IP did you insert in the "External URL" of both security servers?

Which FQDN did you insert in the "External URL" of both security servers, when you tried it? (for example sec1.domain.com; sec2.domain.com)

Please provide further information to help you better.

Anyway, if you want to use the IP, it is possible to generate a certificate including the IP address as a subject alternative name.

Best Regards

We use the same Certificate on the 2 security servers and our F5 vIP and get no errors. The external URL we use in the security server config is the FQDN that points to the vIP.  We are running Horizon 6.2 and not 7 so that may be the difference.

Let's say that you have:

- F5 vIP reachable with external name external.domain.com

- 2 x Security servers (sec1.domain.com, sec2.domain.com)

You must have a certificate with at least the following Subject Alternative Names:

- external.domain.com

- sec1.domain.com

- sec2.domain.com

The certificate should be assigned to both Security servers.

The External URL must be the one pointing to the F5 vIP, in this case external.domain.com

If for any reason you want to use the IP address as External URL, then make sure to add the IP address in the certificate's Subject Alternative Names:

- external.domain.com

- sec1.domain.com

- sec2.domain.com

- x.x.x.x

Slim,

have the exact same environment that you have, including the F5's.

I have our DMZ F5's using a wild card cert (*.domain.com) for the client SSL profile initial traffic into the vip.  I then have the F5's re-encrypting the traffic (using the same *.domain.com cert for the server SSL profile) to send to the pool of security servers.  On the security servers, I installed the same *.domain.com PFX cert in the personal store of the security servers, marking the key as exportable and assigning a friendly name of vdm to the cert.

Within View Admn console, under servers and Security servers, I have the following configuration:

Security server 1

HTTPS: Secure tunnel - External URL - https://ss1.domain.com:443

PCoIP Secure Gateway - External URL - https://external IP of the security server:4172  (Not the DMZ IP)

Blast Secure Gateway - External URL - https://ss1.domain.com:8443

Security server 2

HTTPS: Secure tunnel - External URL - https://ss2.domain.com:443

PCoIP Secure Gateway - External URL - https://external IP of security server 2:4172  (Not the DMZ IP)

Blast Secure Gateway - External URL - https://ss2.domain.com:8443

Start with that and see if that helps

BadFish