Horizon View Installation & Configuration - Part 10 - Configuring View Connection Server SSL Certificate

VMware Horizon View Connection Server SSL Certificate (auto-signed) isn't valid and you find yourself with a nice error when you open the VMware view administration web console. It says that the certificate is untrusted and that you have to install a valid (not a self-signed) SSL on this server.

So, you'll have a valid certificate. You have two options:

1. Commercial certificate

2. Self-signed certificate with Microsoft certification authority, which you can add as a role to one of your VMs in your domain.

VMware recommends using valid SSL certificates issued by a valid Certificate Authority (CA) like a public CA such as GoDaddy, Verisign, etc. When you plan your View deployment, you should know if you'll be using any non-domain joined devices and (or) if there will be some mobile devices. If there will be, you have to make sure that all the non-domain PCs you use to connect to your View desktops did the import of the CA Root certificate into the Trusted Root Certification Authorities store.

Using SAN certificate (Subject alternative names) might also be the way to go if you planning large View deployment with more than one connection server.

Screenshot from the Dashboard without an option to accept the default self-signed certificate for Horizon View Connection Server.

Create Certificate Template with Active Directory Certificate Services. (AD CS)

First, install the role and reboot the server. In my case I'm using Windows Server 2012 AD CS, but you can also use W 2008 or 2003 depending on your environment.

Launch the AD CS console and right click the “Certificate Templates” > and then Manage > to bring up the second console called “Certificate Templates. Check the screenshot below.

Once done click the Duplicate Template on a Web server template. We're doing this to obtain an option to request web server certificate in addition to the only one default option – computer. You should also:

• create a security group (I called mine view-servers) in your AD and put your View connection server in this group. Add this
   group to the Security Tab on the properties of the new template and give this group a Write and Enroll permission, in
   addition to the default read permission.

• As a compatibility, I've selected 2003

• Allow private key to be exported

• Add client authentication to the list

• 50 years of validity

• 4096 as an encryption

Then, expand the base certificate console, click the menu Actions > New > Certificate Template to issue.

• Now go to your View connection server > launch new mmc and add/remove new snap-in for local computer account.

• local computer

• Launch the console and select Certificates > Request new certificate

Then follow the assistant, click on the More Information is required to enroll for this certificate…and enter the common name that you want to use.

• Enter the DNS details

• General tab needs to have “vdm” as a friendly name

Click enroll…And check the view admin dashboard for results…

Then go and export the created certificate from the Personal > certificates folder.

 Save the file with some name with *.cer extension.

Once you have the file, you'll need then to import the certificate into a Trusted Root certificate store:

 

·         Don’t forget to import the certificate you have created and the Root CA of your domain to every pc or mobile device you want to secure its connection with Horizon View Connection Server.

·         Don’t forget to delete the original self-signed certificate created by the Horizon View Connection Server.

Want to download this blog as a PDF document, click the link below:

https://drive.google.com/file/d/1DOCom_SskcMIXiKoOOnlA9TjzX9-5Pwp/view

Abd El-Rahman Oreiby

Senior Data Center Engineer

Al Thuraya Security Egypt 

www.abdelrahmanoreiby.weebly.com