3 Replies Latest reply on Oct 3, 2018 7:30 AM by BenFB

    Install certificate on Horizon view solution

    OleWeel Enthusiast

      Hi,

       

      We have a closed environment so no access to the internet.

      We do not have a internal CA, so we need to order a certificate from a certificate vendor.

      What kind of certificate could we order, so that the clients that connect to the environment can trust the solution ?

       

      If our domain is named private.local is that ok, or do we have to have like private.com ?

      Is it ok with a wildcard certificate ?

      Any good articles is also appreciated.

       

      Thanks for reply

       

      /R

      Andreas

        • 1. Re: Install certificate on Horizon view solution
          BenFB Expert

          In November of 2015 the CA/Browser Forum (CA/B) published that public certificate authorities were supposed to stop issuing certs for internal names or private IP addresses after July 1, 2012.

          Guidance on Internal Names - CAB Forum

          Internal Server Name SSL Certificate Issuance After 2015

          Replace Your Certificates for Internal Names | DigiCert Blog

           

          You just need a simple web server cert installed on the connection servers for something like vdi.example.com using a public domain that you own.

           

          1. Do you own a external domain that you can purchased a SSL cert for?
          2. Do you run a internal DNS server that you can configure split DNS on for the external domain?
          3. How many connection servers do you have?
          4. Do you have a load balancer?
          5. Is tunneling enabled on the connection servers?
          6. What display protocol are you using (Blast, PCoIP)?
          7. What clients do you use (Horizon Client, Zero/Thin client, HTML access)?

           

          If you have two connection servers (cs1.company.local and cs2.company.local) you could purchase a single web server cert named vdi.company.com with SAN entries for vdi.company.com, cs1.company.com and cs2.company.com (Do this regardless of if you have a load balancer). Then install that cert on the load balancer (skip this if you don't have one), both connection servers and configure split DNS to resolve vdi.company.com to the internal IP of the load balancer, cs1.company.com to the internal IP of cs1 and cs2.company.com to the internal IP of cs2. You should not create public DNS entries that resolve to the private IP address. Replacing the SSL certificate is just a matter of importing it into the cert store on each connection server, removing the "vdm" friendly name from the existing cert, adding the "vdm" friendly name to the new cert and restarting the connection server services.

          1 person found this helpful
          • 2. Re: Install certificate on Horizon view solution
            OleWeel Enthusiast

            Hi,

             

            Thanks for reply, and good links.

             

            Do you own a external domain that you can purchased a SSL cert for but only use internally with split DNS?

            - No this is a closed small domain with only 2 domain controllers, some file servers, horizon view installation, and 20 clients.

            - There is absolutely no access to the internet, and there will not be either.

            How many connection servers do you have?

            - There are 2 connections servers

            Do you have a load balancer?

            - No

            Is tunneling enabled on the connection servers?

            - No

            What display protocol are you using (Blast, PCoIP)?

            - PcoIP

            What clients do you use (Horizon Client, Zero/Thin client, HTML access)?

            - Thin client

             

            If I understand this correctly there is not a solution longer to order a SSL certificate for a private.local domain ? I must change it to private.com for example ?

            Or am i misunderstanding ? Certificates are not my strongest area.

             

            So what are my options ?

            • 3. Re: Install certificate on Horizon view solution
              BenFB Expert

              Is this production or a lab? You will be vulnerable to a MiTM but you could turn off SSL checking if this is a air gaped/protected network and you don't have any compliance requirements to have certificates.

               

              If that won't work you will need to purchase a external domain name (e.g. company.com) to then purchase a SSL cert for that domain (e.g. vdi.company.com). You will then use split DNS to point vdi.company.com to your load balancer or connection servers.