VMware Horizon Community
Lalegre
Virtuoso
Virtuoso
‎08-27-2019 08:46 AM
Jump to solution

Unified Access Gateway 3.6 - Load Balancing + SSL

Hello folks i am in a hurry

I need the definition on how to configure my External Access to the Horizon Environment.

I have two Unified Access Gateway behind a Load Balancer (F5) configured in SSL Passthrough and redirected the UAG to use port 443 for Tunneled Connections as well Blast Connections. My UAG are not configured on a domain, neither they have public IPs, only IPs on my DMZ. On the load balancer i have an IP on the same DMZ that is DNATed on my firewall.

My doubt here is on how to configure the public certificate:

  • Can i use a single certificate pointing to my external URL? (ex: horizon.company.com)

I am asking this because on the documentaiton it asks about configuring SAN for the two Unified Access Gateway but they are not published to the internet.

Thanks you all

0 Kudos
1 Solution

Accepted Solutions
cbaptiste
Hot Shot
Hot Shot
‎08-29-2019 08:11 PM
Jump to solution

I don't use SAN certs with my UAGs. I use CN. I think it is however an interesting debate. I have spoken to a few people and they have different views on this. Personally, if the device is not internet facing I would not put it name in my cert. My UAGs have a public cert from a public authority. The same cert is on my load balancer. My connection servers use a SAN cert from internal CA. I think it is a security risk adding connection servers that reside on my LAN network on my cert that any intruder can read.

This VMware resource who was on site told me it was best practice to add all UAGs and connection servers to the cert. When I ask them to show me in the document where it says that he quietly dropped the argument. Granted I do understand his argument. It makes it easier to troubleshoot. However, I personally believe it is a matter of preference and opinion. But regardless it will work either way.

---------------------------------------------------------------------------------------------------------

Was it helpful? Let us know by completing this short survey here.

View solution in original post

0 Kudos
7 Replies
sjesse
Leadership
Leadership
‎08-27-2019 08:49 AM
Jump to solution

Can i use a single certificate pointing to my external URL? (ex: horizon.company.com)

Yes you can use a single certificate, but it should included the other servers in the subject alternative name fields. I use the same cert on all the uags, and connection servers, and loadbalancer

0 Kudos
Lalegre
Virtuoso
Virtuoso
‎08-27-2019 08:53 AM
Jump to solution

Thanks for the fast response.

The issue here is that i cannot add my Connection Server or my UAG as SAN for security reasons.

My UAG does not have a public IP neither an FQDN configured because is in a DMZ and have no connection to my Domain Controller.

My doubt again is if i can use a single certifcate BUT with a Common Name only pointing to my external URL.

0 Kudos
sjesse
Leadership
Leadership
‎08-27-2019 09:36 AM
Jump to solution

Look at

https://docs.vmware.com/en/VMware-Horizon-7/7.8/horizon-scenarios-ssl-certificates.pdf

and

https://www.carlstalhood.com/vmware-unified-access-gateway/

it may be possible, but I've never needed to do it. In the uag part I think you just need to get the internal connection server thumbprint and place it in the section carl mentions

https://www.carlstalhood.com/vmware-unified-access-gateway/

I could swear, at least at one point there was a problem with pcoip if you didn't use the same cert on every component. Thant may have changed.

0 Kudos
Lalegre
Virtuoso
Virtuoso
‎08-27-2019 10:44 AM
Jump to solution

I already read that article.

I only need to know if it is possible if i only use a Common Name, not SAN on the UAGs

0 Kudos
Perttu
Enthusiast
Enthusiast
‎08-28-2019 12:51 AM
Jump to solution

I don’t see any reasons why that would not work. Clients are somewhat unaware of the  responding UAG, as from their point of view they just connect to the public VIP on the SLB, the same that the hostname resolves to.

All the network address translations happening behind the SLB on the path are never exposed to clients. And you don’t need to worry about connection servers or their certificates. All TLS is proxied on the UAG, i.e. UAG creates an another TLS session against connection server not passthroughing the existing one.

0 Kudos
cbaptiste
Hot Shot
Hot Shot
‎08-29-2019 08:11 PM
Jump to solution

I don't use SAN certs with my UAGs. I use CN. I think it is however an interesting debate. I have spoken to a few people and they have different views on this. Personally, if the device is not internet facing I would not put it name in my cert. My UAGs have a public cert from a public authority. The same cert is on my load balancer. My connection servers use a SAN cert from internal CA. I think it is a security risk adding connection servers that reside on my LAN network on my cert that any intruder can read.

This VMware resource who was on site told me it was best practice to add all UAGs and connection servers to the cert. When I ask them to show me in the document where it says that he quietly dropped the argument. Granted I do understand his argument. It makes it easier to troubleshoot. However, I personally believe it is a matter of preference and opinion. But regardless it will work either way.

---------------------------------------------------------------------------------------------------------

Was it helpful? Let us know by completing this short survey here.

0 Kudos
Lalegre
Virtuoso
Virtuoso
‎08-30-2019 05:08 AM
Jump to solution

Thanks you all for your answers.

I can see that you folks are sharing the same opinions as me regarding about of "sharing" the names of the internal servers.

I will proceed using a simple CN name for the VIP.

Thanks you all again!

0 Kudos