I working on a project that consists of the following:
2 x Connection servers for internal
2 x connection servers for external
2 x security servers that are paired to the external connection servers
We are running version 7 and everything is working as expected, except the security servers.
On the external URL for the security servers, we place the external IP and everything works. However, due to version 7 being strict with certificates we get a red alarm in the admin console.
If I change the URL to the FQDN server of itself this resolves the invalid certificate issue but then we get name resolution issues when we try to connect externally from the client.
I was hoping someone could advise what the external URL should be and if it is just the IP address how do we resolve the certificate issue?
Any help would be appreciated.
There is something missing in the information provided.
From the title I suppose you are using the F5 to load balance the two security servers, right?
So, how do the users connects? Do they use an alias that points to the IP configured in the F5? (for example: view.domain.com)
Which IP did you insert in the "External URL" of both security servers?
Which FQDN did you insert in the "External URL" of both security servers, when you tried it? (for example sec1.domain.com; sec2.domain.com)
Please provide further information to help you better.
Anyway, if you want to use the IP, it is possible to generate a certificate including the IP address as a subject alternative name.
We use the same Certificate on the 2 security servers and our F5 vIP and get no errors. The external URL we use in the security server config is the FQDN that points to the vIP. We are running Horizon 6.2 and not 7 so that may be the difference.
Let's say that you have:
- F5 vIP reachable with external name external.domain.com
- 2 x Security servers (sec1.domain.com, sec2.domain.com)
You must have a certificate with at least the following Subject Alternative Names:
The certificate should be assigned to both Security servers.
The External URL must be the one pointing to the F5 vIP, in this case external.domain.com
If for any reason you want to use the IP address as External URL, then make sure to add the IP address in the certificate's Subject Alternative Names:
have the exact same environment that you have, including the F5's.
I have our DMZ F5's using a wild card cert (*.domain.com) for the client SSL profile initial traffic into the vip. I then have the F5's re-encrypting the traffic (using the same *.domain.com cert for the server SSL profile) to send to the pool of security servers. On the security servers, I installed the same *.domain.com PFX cert in the personal store of the security servers, marking the key as exportable and assigning a friendly name of vdm to the cert.
Within View Admn console, under servers and Security servers, I have the following configuration:
Security server 1
HTTPS: Secure tunnel - External URL - https://ss1.domain.com:443
PCoIP Secure Gateway - External URL - https://external IP of the security server:4172 (Not the DMZ IP)
Blast Secure Gateway - External URL - https://ss1.domain.com:8443
Security server 2
HTTPS: Secure tunnel - External URL - https://ss2.domain.com:443
PCoIP Secure Gateway - External URL - https://external IP of security server 2:4172 (Not the DMZ IP)
Blast Secure Gateway - External URL - https://ss2.domain.com:8443
Start with that and see if that helps
For Security server 2, PCoIP Secure Gateway - External URL - shouldn't it point to the same IP used for PCoIP Secure Gateway in security server 1?
It would be the external IP of the security server 2. Both Security servers have external identities and when using PCOIP, after authentication the client will connect directly to the security server rather than go through the load balancer again.