Help generate the SSL certificate for the Security Server

Hi people,

We have server (ss - 01.mydomain.local) security and connection server (cs - 01.mydomain.local). Now intend to install a certificate on the Security server. What should be the common name.

our Web site is something like access.mydomain.local.

Also, we plan to install SSL only on security for internet access server, this will affect the internal users, access to the connection to the server.

Thanks and greetings

J P Raj

Take a look at the link below

https://pubs.VMware.com/horizon-view-60/topic/com.VMware.ICbase/PDF/horizon-view-60-scenarios-SSL-certificates.PDF

Internal users will not be affected when you install the Security server certificates

Simply create a CSr file > get certificates and import them to the Security server in the MMC guide explains practically everything. If you already have certificates wildcard certificates, then you can follow the sub process

(a) export the server certificates

(1) to connect to the server that has certificates

(2) for this server to export it to a PFX format certificate.

(3) open the Microsoft MMC Certificates snap-in for the computer account.

4) navigate to certificates (Local computer) > personal > certificates.

(5) right-click on the signed certificate that is to be exported.

6) click all tasks > export.

(7) on the Welcome screen, click Next.

8) click Yes, export the private key.

(9) if it is an option, click on include all certificates in the certification path.

(10) enter a password for the private key. This is required for the import certificates.

(11) to enter a file name and location. For example, C:\certificates\certificate.pfx.

12) click Next.

13) click Finish.

b) import it to the use of broker or planned connection securityr.

Certificates of thye 1) import (preferable Pfx format) for the server broker or planned connection security.

(2) open the Microsoft MMC Certificates snap-in for the computer account.

3) navigate to certificates (Local computer) > personal > certificates.

(4) right-click the certificates.

5) click on Import.

(6) through the pfx and click Next.

(7) enter the certificate password.

(8) select Mark keys as being exportable.

9) click Next.

10) click Finish.

(c) restart Consulting Services

To restart the services:

Log in as an administrator on the server that is running the Server VMware View connection server VMware View connection or VMware View Server Security.

Click Start > run, type services.msc and press ENTER.

In the list of services, right-click on the VMware View connection Server or VMware View Server Security service.

Click on restart and wait for service to stop and start.

Tags: VMware

Similar Questions

  • Update the SSL certificate on a security server?

    Good afternoon everyone,

    I'm trying to update the SSL certificate on the server of our security, but I'm running into some problems.

    DigiCert (we get our certs of), not like the VMWare KB article order to request a 2048-bit crt, so we used their tool to generate our a commandsfor us:

    keytool - genkey-server alias - keyalg RSA - keysize 2048, FULL domain name -.jks keystore - dname 'CN = CNNAME, OR = OUNAME, O = ONAME, L = NAME, ST = STNAME, C = CNAME'

    keytool-certreq alias server-file FQDN.csr - FULL.jks domain name

    (I did not show the exact details of the CN name, etc.)

    It makes the keystore a .jks instead of a .p12

    Should this cause problems?


    Because after I imported the cert in the keystore, change the config locked file to reference the key file and restart the Server Security Service, it does not restart properly. (Defining the locked towards the old works fine keystore file, then restarting the service works find though.)

    This documented error in Event Viewer:

    Not able to create the com.vmware.vdi.ice.server.JMXServer.main(SourceFile:211) MBean server
    javax.management.MBeanException: Exception thrown in the startServer operation
    at com.sun.jmx.mbeanserver.StandardMetaDataImpl.invoke(StandardMetaDataImpl.java:435)
    at com.sun.jmx.mbeanserver.MetaDataImpl.invoke(MetaDataImpl.java:220)
    at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:815)
    at com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:784)
    at com.vmware.vdi.ice.server.JMXServer.main(SourceFile:209)
    at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:585)
    at net.propero.workspace.windowsinfrastructure.tunnelservice.TunnelService.run(SourceFile:34)
    at java.lang.Thread.run(Thread.java:595)
    Caused by: java.lang.Exception: ice beginning: null
    at com.vmware.vdi.ice.server.Ice.startServer(SourceFile:695)
    at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:585)
    at com.sun.jmx.mbeanserver.StandardMetaDataImpl.invoke(StandardMetaDataImpl.java:414)

    Should I request/pay for a new cert so my base keystore is .p12 instead of .jks?

    Hello

    I think that the command you mentioned creating a CSR only. You get a digicert certificate after sending this rea and create a keystore with whom?

    Please follow the steps in this KB to complete the whole process.

    http://KB.VMware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalID=1008705

    -noble

  • SSL certificate for the Security Server external facing

    Dear all,

    Today, I bought an external SSL certificate of DigitCert for our security server. I imported the certificates in the personal certificate (computer account) on the Security Server store. DigiCert provided three certificates, root CA, CA server and the other with the name of our domain. I renamed the vdm to the friendly name of the existing self-signed certificate and used the friendly name for the certificate vdm has our domain name. Subsequently, I rebooted consulting on the Security server. They are all released on except the "Display Blast Secure Gateway" service which entered the suspended state.

    On our facility, we have a connection to the server and a security server. To the Security Server, we use a different domain name for connecting to the server. We have an internal PKI and the connection to the server uses an SSL certificate.

    connection to the server = server01.internaldomain.com

    Security Server = server02.externaldomain.com

    Why the certificate cannot be loaded to view Blast Secure Gateway? I missed something?

    Thank you

    Edy

    I solved it. It was with the private key of the certificate. This is the reason that the Blast Secure Gateway could not load.

  • SSL certificate for access to the administration of a WSA

    Can someone point me to a guide on how to install an ssl certificate for access to the administration of a WSA?

    Curiously, all the documents that I could find so far talk of SSL certificate for HTTPS decryption...

    Page 367 of this doc.  http://www.Cisco.com/c/dam/en/us/TD/docs/security/WSA/wsa8-0/wsa8-0-6/WSA_8-0-6_User_Guide.PDF

  • Setting the SSL certificate for the web user interface

    How can I configure the SSL certificate for the management of a SG300 interface? I don't seem to find the configuration option in the web gui?

    Hello Dirk,.

    For import / create / modify h99350 ssl please go to ' ' security > SSL server > SSL server authentication settings.

    HTTPS is enabled by default.

    Thank you and best regards,

    Siva

  • Problem with USB auto connect with clients that connect through the Security server...

    Lack of VMware View 5.0.1 with 2 servers connection and a security server. When the clients connect directly to the server connection, USB connection works very well... users can use their USB drives and other devices with their VM. The problem occurs when they attempt to use their USB devices when negotiated through the Security server.

    I know that port 32111 (TCP) must be open between the server security and the connection to the server, but even after doing so it does not always work... customers just to get the scrolling message of office in the USB menu initialization.

    Our current facility is:

    External IP address-> DMZ (Security Server)-> connect to server

    Entrust us our firewall config through our ISP (we are not overloaded with scientists here, it's just me, so things like little help my work load). They are certainly not incompetent (or at least were not in the past). I had to open the external 32111 IP port to the DMZ, then of the DMZ to our connection server that is used for external connections. Everything about VMware View works perfectly for the clients that connect this way, but not USB devices.

    One thing I give is if our having a configuration of VLAN dedicated for customers views influence what either. I'm trying to keep an eye on what ports are open that for our firewall for my records, but I do not see where I openly opened ports on the internal side of security server to our internal network. He must have the port opened directly from the internal face of security server of vmware 32111 discovers clients?

    The firewall Guys tell me that they checked over and over that port 32111 is open throughout the. They also said that they tried to telnet 32111 to our security server port and have nothing back (should have gotten garbage at least according to them).

    An idea of the next steps to take? It is obviously a blocked port, I just have no idea why at this stage.

    I know that port 32111 (TCP) must be open between the server security and the connection to the server, but even after doing it still does not work

    This is not what it takes. The agent is listening on the port 32111, you must open the firewall to allow connections to the Security server for the desktop on port 32111 (same thing you must allow RDP and PCoIP).

    Mike

  • Cannot "connect as current user" via the Security Server

    Hello community,

    I had a problem using the "connect as current user" option against a network outside of the enterprise security server. Connection by manually keying in the name of user and password works very well from the outside the company network For internal connections using a connection to the server instead of security server, everything works as expected without having to manually type the name of user and password.

    Single domain

    Customer of the horizon is 3.5.2 and joined to a domain

    2 Security Server 6.2.1 x

    2 Server 6.2.1 connection x

    On one of the servers of connection I got the following error message when you try to connect through the horizon customer using the option "connection as the current user:

    2015 12-28 T 20: 21:15.207 + 01:00 INFO (B 0, 08 - 0E34) < ajp-nio-8009-exec-7 > [PAEContext] (SESSION: a774_ * _b2fb) Idle Timer executor by using 1 thread (s)

    2015 12-28 T 20: 21:15.625 + 01:00 ERROR (0744-0AEC) < MessageFrameWorkDispatch > [ws_winauth] [GSSApiProcessServerContext]: negotiate failed. Error 0 x 0000000080090300 (not enough memory is available to complete this form) {SESSION: a774_ * _b2fb}

    2015 12-28 T 20: 21:15.626 + 01:00 (B 0, 08-04 B 8) WARN < ajp-nio-8009-exec-8 > [GssapiHandler] (SESSION: a774_ * _b2fb) failed connection GSSAPI: not enough memory is available to complete this application

    2015 12-28 T 20: 21:15.627 + 01:00 ERROR (B 0, 08-04 B 8) < ajp-nio-8009-exec-8 > [GssapiHandler] (SESSION: a774_ * _b2fb) cannot close the context 7 36 d-*-00D 3 with the error: unable to locate the context requested

    2015 12-28 T 20: 21:15.627 + 01:00 ERROR (B 0, 08-04 B 8) < ajp-nio-8009-exec-8 > [GssapiAuthFilter] (SESSION: a774_ * _b2fb) authenticate GSSAPI performance problem - GSSAPI_ERROR: GSSAPI failed: not enough memory is available to complete this application

    The connection to the server has 12 GB of memory in total and 9.5 GB of memory free/available.

    In the windows event log, the following error message appears:

    BROKER_USER_AUTHFAILED_GENERAL

    Failed to authenticate the user < UNAUTHENTICATED >

    Attributes:

    Node = hostnameofconnectionsserver.mydomain.com

    Gravity = AUDIT_FAIL

    Time = Mon 28 Dec 19:51:16 THIS 2015

    Module = broker

    UserDisplayName = < UNAUTHENTICATED >

    Source = com. VMware.VDI.Broker.filters.GssapiAuthFilter

    Recognized = true

    Just tried from a machine arrived in the area via the Security server. Cannot open a session as the current user. We also enabled on the external connections of MFA, but I don't think that should make a difference.

  • Not able to connect with the Security Server

    Hello

    IM setting up a demo with view 6 environment, and when I try to connect locally on the servers of connection it works fine, but when I try to connect to the Security server fails with the image below.

    pic1.jpg

    The Security server has 2 network cards, now in the DMZ and in production. I guess I should also be able to connect directly to the ip production, but the same error.

    We have disabled the firewall between dmz and prod for troubleshooting, but same problem.

    The image below is the Security Server, the addresses here are the ip 'internet', I guess it's true?

    pic2.jpg

    The image below is the connection to server 1, the addresses here are internal, and is the FULL domain name, if it was "internet ip" instead?

    pic3.jpg

    If I try on the spot to connect to the ip address of prod on security with internet server explorer, im able to connect, but when I select the office that it will fail "cannot display this page", then shows the 'internet' ip in the address field.

    I guess there is just something simple I've missed... hope you understand my question

    Thanks for the support.

    If you do not already have a look at this description of the display configuration, it covers remote access via security servers as well. Setting up remote access with a view PCoIP 4.6 and newer https://communities.VMware.com/docs/doc-14974

    I guess the fact that you can connect through the servers of connection that the URL you configured in the view administrator for servers in connection is a production local IP address/address?

    External security URL server is also an IP/address of DMZ / external can be solved?

  • I can't get Photoshop and Lightroom to download keep may not find the secure server?

    I can't get Photoshop and Lightroom to download keep may not find the secure server?

    Please read https://forums.adobe.com/thread/1499014

    -try some steps such as changing browsers and disable your firewall

    -also clear the cache of your browser if you start with a fresh browser

    -check the file hosts for blocked entries https://forums.adobe.com/thread/1912777

  • View the connections of the server to connect to the Security Server 5.2

    So, I wonder if it is anyway possible to not expose a subnet of office to the DMZ during the deployment of a security server?  I think remember me, there was a way to have the tunnel of security server all traffic through the connection to the server, but for the life of me, I can't seem to understand.

    Even in your previous PoC you should always have allowed some ports (PCoIP, RDP if use you it and the frame channel) from the server security for virtual offices. This has always been the case.

    The role of the Security Server is to protect exposure of desktop to the Internet. It provides a monitoring of protocols of the Internet (for example PCoIP) so make it succeed to check if the traffic is in the name of an authenticated user, and to ensure that if it is valid, it is transmitted over an office whose user is authorized to access. It is important to configure your internal firewall so that Office (PCoIP etc.) protocols can come only security servers. Then you give the required insurance. If such packets only packets UDP PCoIP arrive in your DMZ that are not on behalf of an authenticated user and then they are ignored in the DMZ without ever be passed in your data center. You know that all protocols for virtual desktops have been validated by the Security server.

    The Security server should also communicate with the login server and that's why you should also allow JMS, AJP13, and IPsec through. These should be only to the servers again only from servers to security and connection.

    You can always route the PCoIP packages through a proxy in your data center, but the security required inspection happens before that the Security Server so that eventually they can be thrown into the demilitarized zone.

    Mark

  • RADIUS only on the Security Server?

    We have activated 2-factor by Ray and his excellent work. However now must also use 2-factor on internal connections on computers VDI. Is there a way to make the RADIUS only apply on the Security Server? We only want users outside to connect with Ray...

    I'm not totally it. You say you only want authentication RADIUS to be applied on the connections to the Security server used by remote users and internal users to authenticate with just AD?

    If so, the answer is Yes. Just have 2 servers connection, one for internal users and one for remote users (with a security server). A connection to the server is a standard instance and the other is a replica.

    Simply configure RADIUS server remote access connection.

    If I misunderstood the question, please let me know more information. Thank you.

    Mark

  • How to restrict access to the workstations on the Security Server

    Hello

    I wonder if it is possible to limit access to desktop view to some groups, if the connection is from a security server. To explain it a bit further

    * We have users who access it offices internally to a thin/Zeroclient. They comes to connect to their office pool.

    * Other users have a thick client with client view installed.

    * Others have a laptop and cann access their workstations to "everywhere" with client access or view html

    Only users in the latter group should be able to connect on a security server. Right now anyone who knows the URL of the Security Server can access as long as it has right to your desktop.

    I'm sure that this is possible, but I don't know how...

    Another option is to use the external radius authentication. In this way, that you don't have to have separate categories.

  • All the sites SSL Web I visit displays the message "this connection is untrusted" and shows me a false SSL certificate for a different domain name.

    When I visit a Web site that requires SSL I displays the message "this connection is untrusted". Any Web site that I visit, it's always exactly the same message and the same SSL certificate that she is no longer valid for www.thawte.com

    support.Mozilla.org uses an invalid security certificate.

    The certificate is not approved, because no sender string has been provided.
    The certificate is valid for www.thawte.com
    The certificate expired on 11/11/2011 23:59. The time now is 11:46 28/01/2012.

    When I click "Add the Exception" on a Web site and view the certificate, it is exactly the same certificate with the exact same serial number.

    I had a similar problem with Internet Explorer showing a 404 error when I visited SSL protected pages but to do a restore of the system a month ago to correct this. All other bowsers are / were very good.

    I installed Firefox 3.x month last to test something that is when the problem started. I have since uninstalled Firefox 3.x and reinstalled the latest version. I deleted all the preferences/settings, disabled modules and reinstalled many times. I did a Windows system restore to before that the problem started with no luck.

    The time / Date on my computer are correct. I have no firewall other than the windows one. I had no antivirus (netbook) until I installed a (Avast) yesterday to see if a virus was causing issues (found nothing). This problem arises on any internet connection (tested to work and home).

    Try bypassing the caveat

    or try to use the module Skip Cert error (to jump to the SSL/TLS certificate error page)

    Thank you

    Please check 'Resolved' the answer really solve the problem, to help others with a similar problem.

  • The e-mail application does not connect to the Dreamhost servers. Perhaps because of how they configure their SSL certificate for their subdomains.

    http://wiki.DreamHost.com/Certificate_Domain_Mismatch_Error

    Certificate SSL of Dreamhost for their mail servers only at one level of subdomain while many of their clusters of e-mail exist on a second level subdomain. In my view, this translates into an error message 'bad security' of the e-mail application.

    I contacted DreamHost and they say they are unable to solve this problem, or that they will allow me to install an SSL certificate on my virtual domain pointing to my cluster e-mail (even if I had to buy a).

    I understand, it is possible to manually add certificates via adb in a way similar to this: http://www.pending.io/add-cacert-root-certificate-to-firefox-os/

    However what I read this: 1. does not work on the ZTE Open 2. Can only fix only navigation not the web mail client.

    Is there any option that is available to me short of switching hosts?

    Fabian,

    Are you familiar with Firefox OS? The reason why I say this is because the e-mail client cannot create an excaption certificate. In fact, it's design. It's design: https://wiki.mozilla.org/Gaia/Email/Features#Security

    This request for support to Mozilla was placed specifically for the product Firefox OS, for which there is only a single mail client.

    That said many people in the Mozilla Bugzilla, have been able to show me how to find another alias for those servers that actually works and in fact corresponds to SSL certificates. Although Dreamhost support could not provide me with any such information, and such information is not actually in the DreamHost wiki.

    I have a repeated insistence of Dreamhost possibility I should just live with the exceptions of SSL certificate, when there is real existing valid server names to match the certificates in question, silly.

    The fact that you post this solution for one product, so that it is not yet applicable beyond useless. It serves to muddy waters.

  • Why can't I change the URL of the PCoIP 'external' for my security server?

    I'm creating a new VMware View environment and just add a security server. I can't change the address I had temporary put there when you configure the server. Currently, the option is grayed out. The option of preparing for upgrade or reinstall is also grayed out.

    Check the settings on the login server to view associated with this security server. PCOIP Secure Gateway can be deselected.

Maybe you are looking for

  • Streaming iTunes content can take several hours to download for display

    The streaming content from the iTunes store at the same time an AppleTV 3 and bought 4 takes up to 14 hours before it will play!  (it was always the slowest speed, but movies usually take more 2 hours and good TV episodes more than an hour) I have 45

  • XT1095 (Pure edition) and LTE 12 band

    T-Mobile has recently improved the network in my area to 4 G LTE 700 MHz (band 12), but I am unable to determine with certainty the capacities of the motorcycle of X 2014 in this regard. I checked the sheets, who say no, but a chat tech support perso

  • Cannot configure Windows Live Mail.

    Original title: I am trying to set up windows live mail and didn't have a chance to be able to send mail but can receive mail. I tried to set up the connection and got regarding the abitlitly to be able to receive emails but not send them out I'm usi

  • Windows live mail has to close

    I recently installed windows 7 on my computer. everytime I open windows live mail, I get a window that says:Windows Live MailSorry, but something unexpected happened and windows live mail has to close. the latest changes may not be saved.OkThere is n

  • BlackBerry Smartphones green LED on the front of the phone

    I just got the phone yesterday, and I'm still learning; but the LED flashed since last night.  I did not all messages without response or calls and I don't have not implemented email still. I can't find a reference to the LED in the user manual. Can