VMware Horizon Community
dzak64
Enthusiast
Enthusiast
‎05-10-2023 02:41 PM

Connection Server certificates and Load Balancer

I need some guidance on updating our certificates.

Currently have 2 servers - HVCON01 and HVCON02. Windows 2019 and Horizon 2209.1

The servers are behind a load balancer, the hostname for the VIP is HVPOD01.

Currently both servers have a certificate configured for the VIP installed - HVPOD01 and the friendly name is vdm-lb (not sure where that came from). The certificate has the hostname of HVPOD01 and FQDN HCPOD01.company.int. This certificate is installled on the load balancer.

Each server also has a certificate configured with its own name - hostname HVCON01 and FQDN HVCON01.company.int and hostname HVCON02 and FQDN HVCON02.company.int - the friendly name for this certificate is vdm.

Reviewing documentation, this doesn't appear to be a valid configuration.

Suggestion on how this should be configured.

 

Labels (2)
Labels
0 Kudos
8 Replies
vDruid
Enthusiast
Enthusiast
‎05-11-2023 01:46 AM

Hi dzak64,

This depends on how your LB is configured and where you place the SSL termination.

If you LB is in passthru mode, then it will present the CS certificates, so you must have the CS certificate to include their own FQDN + the LB one (as a Subject Alternative Name, SAN).

If you are terminating SSL at LB level (SSL Offloading) , so that the LB presents its own certificate, then you can have CS certs to have only their own FQDN. And the LB one only it's LB FQDN.

That is well explained by F5 here : https://my.f5.com/manage/s/article/K65271370

In your case, it looks like you are trying to SSL Offload at LB level.

Also, the vdm-lb cert is not used by the CS it is use useless configuration, you can remove it, only vdm friendly name is recognized by the CS service to load the certificate.

Passthru mode on LB is the easiest setup, but this depends on your security requirements.

PS: Additionally, if you have UAGs in front of you CSs, then you don't need any more LB in front of your CS, apart from that you need internal access without UAG.


// if you think this helps, please mark as helpful or correct , thx ! \\
vDruid
dzak64
Enthusiast
Enthusiast
‎05-15-2023 08:57 AM

vDruid,

Thanks for the reply.

I'm still confused about the certificate.

We have two servers, HVCON01 and HVCON02 behind the LB.

Internally, users connect via Barracuda VIP, the FQDN is HVPOD01.company.int.

What information needs to be in the certificate(s)?

Should I enter Subject Alternate names, the cover possible hostnames and FQDNs

Common Name: hvpod01.company.int
OU: IT
O: The Company
L: Alexandria
S: Virginia
C: US
SAN dns=hvpod01, dns=hvcon01.company.int, dns=hvcon01, dns=hvcon02.company.int, dns=hvcon02, 

0 Kudos
vDruid
Enthusiast
Enthusiast
‎05-15-2023 09:19 AM

If you want to do it simple, even id it is not optimal (because same cert everywhere expires at the same time). You can generate a single certificate that you put on the 2 Connection servers and on the VIP (as said, only if you are terminating SSL at VIP, otherwise, no need).

And yes, your certificate must have all 3 FQDNs in that case of using a single one (short names are not required) as you mentioned (One in CN, the others as SAN). 

 


// if you think this helps, please mark as helpful or correct , thx ! \\
vDruid
0 Kudos
dzak64
Enthusiast
Enthusiast
‎05-16-2023 06:40 PM

vDruid,

Attempted to update the certificate on the Barracuda ADC and Connection Servers.

Generated new certificate with FQDN of the VIP and connection servers.

Imported certificate to VIP and connection servers keystore.

Attempted to connect to FQDN of the VIP.

Received error:

"Failed to connect to the server.  The server provided a certificate that is invalid.

The host name in the certificate is invalid or does not match."

I verified that the FQDNs are correct - not sure what is going on.

0 Kudos
vDruid
Enthusiast
Enthusiast
‎05-16-2023 11:04 PM

Then you should check the presented cert. You can do it with openssl :

openssl s_client -showcerts -connect <hostname>:<port>



this will show all the certificate details to be sure you present the one you created


// if you think this helps, please mark as helpful or correct , thx ! \\
vDruid
0 Kudos
dzak64
Enthusiast
Enthusiast
‎06-10-2023 08:24 PM

Still struggling with this.

I have VMware and Barracuda support involved.

The only way that I can get this working is to create the certificates as:

Cert NameCommon Name (CN)SAN 
Cert 1HVPOD01.company.intDNS Name: HVPOD01.company.intDNS Name: HVPOD01 
Cert 2HVCON01.company.intDNS Name: HVCON01.company.intDNS Name: HVCON01vdm
Cert 3HVCON02.company.intDNS Name: HVCON02.company.intDNS Name: HVCON02vdm
     
HostDescriptionIP AddressCert Installed 
HVPOD01VIP - Barracuda ADC LB10.10.200.35Cert 1 
HVCON01Horizon Connection Server 230310.10.200.37Cert 1 and Cert 2 
HVCON02Horizon Connection Server 230310.10.200.77Cert 1 and Cert 3 

 

Not sure what else to do.

 

0 Kudos
bjohn
Hot Shot
Hot Shot
‎06-11-2023 01:58 PM

Instead of multiple certs, just use one cert with SAN's for the other hosts?

0 Kudos
vDruid
Enthusiast
Enthusiast
‎06-13-2023 11:42 PM

Yes, this should also work.


// if you think this helps, please mark as helpful or correct , thx ! \\
vDruid