1 person found this helpful
In November of 2015 the CA/Browser Forum (CA/B) published that public certificate authorities were supposed to stop issuing certs for internal names or private IP addresses after July 1, 2012.
You just need a simple web server cert installed on the connection servers for something like vdi.example.com using a public domain that you own.
- Do you own a external domain that you can purchased a SSL cert for?
- Do you run a internal DNS server that you can configure split DNS on for the external domain?
- How many connection servers do you have?
- Do you have a load balancer?
- Is tunneling enabled on the connection servers?
- What display protocol are you using (Blast, PCoIP)?
- What clients do you use (Horizon Client, Zero/Thin client, HTML access)?
If you have two connection servers (cs1.company.local and cs2.company.local) you could purchase a single web server cert named vdi.company.com with SAN entries for vdi.company.com, cs1.company.com and cs2.company.com (Do this regardless of if you have a load balancer). Then install that cert on the load balancer (skip this if you don't have one), both connection servers and configure split DNS to resolve vdi.company.com to the internal IP of the load balancer, cs1.company.com to the internal IP of cs1 and cs2.company.com to the internal IP of cs2. You should not create public DNS entries that resolve to the private IP address. Replacing the SSL certificate is just a matter of importing it into the cert store on each connection server, removing the "vdm" friendly name from the existing cert, adding the "vdm" friendly name to the new cert and restarting the connection server services.
Thanks for reply, and good links.
Do you own a external domain that you can purchased a SSL cert for but only use internally with split DNS?
- No this is a closed small domain with only 2 domain controllers, some file servers, horizon view installation, and 20 clients.
- There is absolutely no access to the internet, and there will not be either.
How many connection servers do you have?
- There are 2 connections servers
Do you have a load balancer?
Is tunneling enabled on the connection servers?
What display protocol are you using (Blast, PCoIP)?
What clients do you use (Horizon Client, Zero/Thin client, HTML access)?
- Thin client
If I understand this correctly there is not a solution longer to order a SSL certificate for a private.local domain ? I must change it to private.com for example ?
Or am i misunderstanding ? Certificates are not my strongest area.
So what are my options ?
Is this production or a lab? You will be vulnerable to a MiTM but you could turn off SSL checking if this is a air gaped/protected network and you don't have any compliance requirements to have certificates.
If that won't work you will need to purchase a external domain name (e.g. company.com) to then purchase a SSL cert for that domain (e.g. vdi.company.com). You will then use split DNS to point vdi.company.com to your load balancer or connection servers.