SSL certificate for the Security Server external facing

Similar Questions

• Help generate the SSL certificate for the Security Server

  Hi people,

  We have server (ss - 01.mydomain.local) security and connection server (cs - 01.mydomain.local). Now intend to install a certificate on the Security server. What should be the common name.

  our Web site is something like access.mydomain.local.

  Also, we plan to install SSL only on security for internet access server, this will affect the internal users, access to the connection to the server.

  Thanks and greetings

  J P Raj

  Take a look at the link below

  https://pubs.VMware.com/horizon-view-60/topic/com.VMware.ICbase/PDF/horizon-view-60-scenarios-SSL-certificates.PDF

  Internal users will not be affected when you install the Security server certificates

  Simply create a CSr file > get certificates and import them to the Security server in the MMC guide explains practically everything. If you already have certificates wildcard certificates, then you can follow the sub process

  (a) export the server certificates

  (1) to connect to the server that has certificates

  (2) for this server to export it to a PFX format certificate.

  (3) open the Microsoft MMC Certificates snap-in for the computer account.

  4) navigate to certificates (Local computer) > personal > certificates.

  (5) right-click on the signed certificate that is to be exported.

  6) click all tasks > export.

  (7) on the Welcome screen, click Next.

  8) click Yes, export the private key.

  (9) if it is an option, click on include all certificates in the certification path.

  (10) enter a password for the private key. This is required for the import certificates.

  (11) to enter a file name and location. For example, C:\certificates\certificate.pfx.

  12) click Next.

  13) click Finish.

  b) import it to the use of broker or planned connection securityr.

  Certificates of thye 1) import (preferable Pfx format) for the server broker or planned connection security.

  (2) open the Microsoft MMC Certificates snap-in for the computer account.

  3) navigate to certificates (Local computer) > personal > certificates.

  (4) right-click the certificates.

  5) click on Import.

  (6) through the pfx and click Next.

  (7) enter the certificate password.

  (8) select Mark keys as being exportable.

  9) click Next.

  10) click Finish.

  (c) restart Consulting Services

  To restart the services:

  Log in as an administrator on the server that is running the Server VMware View connection server VMware View connection or VMware View Server Security.

  Click Start > run, type services.msc and press ENTER.

  In the list of services, right-click on the VMware View connection Server or VMware View Server Security service.

  Click on restart and wait for service to stop and start.

• Setting the SSL certificate for the web user interface

  How can I configure the SSL certificate for the management of a SG300 interface? I don't seem to find the configuration option in the web gui?

  Hello Dirk,.

  For import / create / modify h99350 ssl please go to ' ' security > SSL server > SSL server authentication settings.

  HTTPS is enabled by default.

  Thank you and best regards,

  Siva

• Update the SSL certificate on a security server?

  Good afternoon everyone,

  I'm trying to update the SSL certificate on the server of our security, but I'm running into some problems.

  DigiCert (we get our certs of), not like the VMWare KB article order to request a 2048-bit crt, so we used their tool to generate our a commandsfor us:

  keytool - genkey-server alias - keyalg RSA - keysize 2048, FULL domain name -.jks keystore - dname 'CN = CNNAME, OR = OUNAME, O = ONAME, L = NAME, ST = STNAME, C = CNAME'

  keytool-certreq alias server-file FQDN.csr - FULL.jks domain name

  (I did not show the exact details of the CN name, etc.)

  It makes the keystore a .jks instead of a .p12

  Should this cause problems?

  
  Because after I imported the cert in the keystore, change the config locked file to reference the key file and restart the Server Security Service, it does not restart properly. (Defining the locked towards the old works fine keystore file, then restarting the service works find though.)

  This documented error in Event Viewer:

  Not able to create the com.vmware.vdi.ice.server.JMXServer.main(SourceFile:211) MBean server
  javax.management.MBeanException: Exception thrown in the startServer operation
  at com.sun.jmx.mbeanserver.StandardMetaDataImpl.invoke(StandardMetaDataImpl.java:435)
  at com.sun.jmx.mbeanserver.MetaDataImpl.invoke(MetaDataImpl.java:220)
  at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:815)
  at com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:784)
  at com.vmware.vdi.ice.server.JMXServer.main(SourceFile:209)
  at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:585)
  at net.propero.workspace.windowsinfrastructure.tunnelservice.TunnelService.run(SourceFile:34)
  at java.lang.Thread.run(Thread.java:595)
  Caused by: java.lang.Exception: ice beginning: null
  at com.vmware.vdi.ice.server.Ice.startServer(SourceFile:695)
  at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:585)
  at com.sun.jmx.mbeanserver.StandardMetaDataImpl.invoke(StandardMetaDataImpl.java:414)

  Should I request/pay for a new cert so my base keystore is .p12 instead of .jks?

  Hello

  I think that the command you mentioned creating a CSR only. You get a digicert certificate after sending this rea and create a keystore with whom?

  Please follow the steps in this KB to complete the whole process.

  http://KB.VMware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalID=1008705

  -noble

• Pre complains about SSL certificate on the exchange server

  Hello.  I just got a pre and tries to set up to communicate with an exchnage server.  Pre complains and will not set up the connection with this error message: «"SSL certificate error.» Is the date and time correct? ».  The date and time are correct, but the server is running a self signed certificate.  This causes no problems with iPhones that use a lot of people here.

  How can I fix it?  It is not all parameters for this problem.

  I spent the weekend trying to test and understand what was going on.  I found that if I nominated the e-mail server (name after HTTPS: / / in Setup) the same as the name of certificate displayed in the Certificate Manager (Launcher > Device Info > more info > Menu > Certificate Manager), the error should disappear.  The problem for me was that the name of cert in cert Manager was different from address of mail server (in my case server. [domain .local] instead of mail. ([Domain_name] .com).  The transformation it seems to use is:

  (1) find the certificate...

  (2) CN is HTTPS: / / in the installer?

  (3) If no, use error 'Verify the certificate, date and time not correct' (or whatever it is) - If Yes, go to HTTPS: / /.

  (4) Exchange requires safety pin?  If no, proceed to synchronize - if so, use error "unsupported of security policies.

  So I looked more closely CERT and it held several common names (CN) for the cert.  It seems that ANY OTHER DEVICE can filter through the list of common names, and use the one that works.  The Pre uses only (whether first or last, I don't know).

  So, there are two options for the certificate problem (I guess the 3rd is that you can return the phone):

  FIRST SOLUTION

  =====================

  (1) check the name of cert in cert Manager.

  (2) if it is a name that can be resolved DNS (i.e.  [mail]. [mywebsite]. [com]) then change this setting in your exchange installation program in the mail server field beside the HTTPS: / /.

  This will only fix it if your COMPUTER administrator has with permissions on the used field.  It is possible that an alias is used on other areas

  SECOND SOLUTION (as I have done)

  =================================

  (1) ensure that your Certification Authority is installed.  You can do it by clicking START > ADMINISTRATIVE TOOLS > CERTIFICATION AUTHORITY - OR - on a computer on your network using IE/Safari/Firefox and typing http://server/certsrv.  If the page is found, then you are installed, if not, then you will need to have installed.

  NOTE: SBS 2003 WILL AWARD A CERT TO THE IIS WITHOUT THE ROOT CA.  THIS SEEMS TO BE THE PROBLEM WITH THE AUTO CERTS GENERATED I HAD

  (2) If you have not installed it, go to this topic, it is well written to get step by step instructions how to install, create demand for cert, create the cert and install the cert (it took me about 30 min).   http://www.MSExchange.org/tutorials/SSL_Enabling_OWA_2003.html

  NOTE: IF YOU ALREADY HAVE A CERT ON IIS, YOU NEED TO REMOVE IT AS IT IS "DEFECTIVE" CERT BEFORE YOU CAN REQUEST A NEW CERTIFICATE.  YOU MAY BE ABLE TO REINSTALL OVER THE NEW CERT, BUT I DON'T KNOW

  (3) open https://mail.domain.com/exchange on your computer - display details of the cert and save the file on your desktop - if you are using a laptop, you can also install it on your laptop to use for use outside the Office (this is also a good back-up that you can use to get more later if needed again).

  (4) plug your pre in USB mode.

  (5) slide the cert and unplug the USB cable

  (6) go to cert Manager

  7) tap on the icon of "Sun" at the bottom left

  (8) press on the new file cert that you save in USB mode

  (9) to confirm that the new cert appears with the name of the correct mail server

  10) go to the e-mail program and configure the exchange account

  The above will create a REAL root cert (not IIS domain root Cert) that the Pre can work with.

  Really, I don't know that how/why Palm overlooked this possibility because they claimed so-called does not want to sell to companies who need strict security requirements.  For me, it means a small / medium company that has limited IT supports (according to the needs, pay as you or green guy with limited knowledge).  Then, why they test the GER in this environment, I'm not sure.  I bet they were tested on their own network, which has all the correct methods, best practices for the management of cert.  I guess it's like the developers that they have offended and almost lost their support until turned it over and said: 'sorry, we really want make you programs for our platform WebOS. ".  We've just been paranoid for so long salivate us when the bell rings. "They just didn't beta test this well enough.  The sad result of this is that Sprint will have to address all of the sheets because this certificate simple reading process was given only minimal recognition capabilities.

  But having said that - I'm now completely in love with my pre!

  I'm happy to try to help if you need it.  I found a lot of the forum of solutions were not enough detailed, so do not hesitate to contact.

• SSL certificate for access to the administration of a WSA

  Can someone point me to a guide on how to install an ssl certificate for access to the administration of a WSA?

  Curiously, all the documents that I could find so far talk of SSL certificate for HTTPS decryption...

  Page 367 of this doc.  http://www.Cisco.com/c/dam/en/us/TD/docs/security/WSA/wsa8-0/wsa8-0-6/WSA_8-0-6_User_Guide.PDF

• Error message "revocation information for the security for this site certificate not available. Do you want? [Yes] [No] [View the certificate]

  For awhile, I got the dialog box with «security alert "revocation information for the security for this site certificate not available.» Do you want? [Yes] [No] [View the certificate] ". » I know that many, if not all, sites are OK because I used them several times in the past.

  I tried different "fixed" found by Google "revocation information" and nothing solves the problem - what is.

  When I try to make various updates, not related to this problem, I can not download updates due to a security problem.

  Suggestions for a computer challenged the user? Thank you.

  Richard

  http://www.brighthub.com/Internet/Security-Privacy/articles/82291.aspx

  read this, see if he can address your question.

• Update of security for the SQL Server 2005 Service Pack 3 (KB970892) constantly moved, what can I do about it?

  Update of security for the SQL Server 2005 Service Pack 3 (KB970892) constantly moved, what can I do about it?

  The update tried to automatically install dozens of times, but it keeps failing, is there something I can fix which will allow this facility. I have reasonable computer skills but I'm not good at that, I need step by step help and a full explanation of acronyms.

  Hi Laurence,.

  The issue of Windows is more complex than what is generally answered in the Microsoft Community Forums. Appropriate in the TechNet Forums. Please post your question in the TechNet Forums.

  You can check the link to post your question:

  http://social.technet.Microsoft.com/forums/en-us/category/SQLServer

  I hope that helps!

• Error code 64 c for update of security for the SQL Server 2005 Service Pack 3 (KB2494113)

  Have tried to install KB2494113 - update of safety and he constantly fails to install. Help please as I know very little about the "intricacies" of my laptop

  Hi Phillipmuir,

  Step 1:

  You can read the following article and try to reset the Windows Update components and check.

  How to reset the Windows Update components?

  http://support.Microsoft.com/kb/971058

  Step 2:

  You can also check the following link and try to download and install the standalone update package:

  Update of security for the SQL Server 2005 Service Pack 3 (KB2494113)

  Hope this information is useful.

• SSL certificates on the desktop HTML access

  I am configuring access HTML and try to correctly configure SSL certificates on the VDI desktops in a linked Clone pool.  Documentation, VMware wants us to install a unique certificate for each desktop computer that will be a pain and from what I see, is impossible.  Does anyone have an easy solution for this?  The main problem that I notice, is that the IP Office address is what actually shows in the URL.  How an appropriate certificate can be created with a DHCP address he will change all the time?  Any guidance will be appreciated.

  Connect via a connection or a security server the value "use secure gateway" for HTML.  Only cert is the entry door.

• AnyConnect 3.1 - the certificate on the secure gateway is not valid

  Hi guys,.

  I have a problem with the Anyconnect 3.1.01065.

  When I try to connect I get the "the certificate on the secure gateway is not valid. A VPN connection can be established.

  The certificate is a signed cert self.

  Woks AnyConnect 2.5 without problems.

  Image of the ASA: 8.4 (2).

  [27.11.2012 15:58:27] Ready to connect.

  [27.11.2012 16:01:49] Contact IP_WAN.

  [27.11.2012 16:01:52] Please enter your username and password.

  [27.11.2012 16:02:01] User credentials entered.

  [27.11.2012 16:02:02] Establish the VPN session...

  [27.11.2012 16:02:03] Checking for updates to profile...

  [27.11.2012 16:02:03] Checking for updates...

  [27.11.2012 16:02:03] Checking for updates of customization...

  [27.11.2012 16:02:03] Execution of required updates...

  [27.11.2012 16:02:08] Establish the VPN session...

  [27.11.2012 16:02:08] Setting up VPN - initiate the connection...

  [27.11.2012 16:02:09] Disconnection in progress, please wait...

  [27.11.2012 16:02:13] Connection attempt failed.

  Anyone had this problem before?

  Thank you very much.

  Hello Cristian,

  Please see this:

  CSCua89091 Details of bug

  the local certification authority must support the EKU and other necessary attributes

  Symptom: The local CA on the ASA server currently does not support attributes like the EKU. This enhancement request is to add support for this. Workaround: Configure the cert on the customer's profile

  http://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId= CSCua89091

  And the following:

  DOC: Anyconnect supports Extended Key use specific attributes in CERT

  Symptom: When using certificates with the anyconnect client if the certificate is installed on the SAA does not have the EKU attribute set to "Server authentication", then the anyconnect client will reject the ASA certificate as invalid. The certificate of the client id must also be '-l' client authentication "otherwise the ASA he will reject... Conditionsof : Use a certificate of id on the ASA with one other than «authentication server» EKU Use a certificate of id on the client that has one another EKU that '-l' client authentication. Workaround solution: Generate a new certificate of ID with correct extended key usage

  http://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId= CSCty61472

  If at this point, you need to set up the corresponding certificate or use an earlier version of the AnyConnect client.

  HTH.

  Please note all useful posts

• Cannot "connect as current user" via the Security Server

  Hello community,

  I had a problem using the "connect as current user" option against a network outside of the enterprise security server. Connection by manually keying in the name of user and password works very well from the outside the company network For internal connections using a connection to the server instead of security server, everything works as expected without having to manually type the name of user and password.

  Single domain

  Customer of the horizon is 3.5.2 and joined to a domain

  2 Security Server 6.2.1 x

  2 Server 6.2.1 connection x

  On one of the servers of connection I got the following error message when you try to connect through the horizon customer using the option "connection as the current user:

  2015 12-28 T 20: 21:15.207 + 01:00 INFO (B 0, 08 - 0E34) < ajp-nio-8009-exec-7 > [PAEContext] (SESSION: a774_ * _b2fb) Idle Timer executor by using 1 thread (s)

  2015 12-28 T 20: 21:15.625 + 01:00 ERROR (0744-0AEC) < MessageFrameWorkDispatch > [ws_winauth] [GSSApiProcessServerContext]: negotiate failed. Error 0 x 0000000080090300 (not enough memory is available to complete this form) {SESSION: a774_ * _b2fb}

  2015 12-28 T 20: 21:15.626 + 01:00 (B 0, 08-04 B 8) WARN < ajp-nio-8009-exec-8 > [GssapiHandler] (SESSION: a774_ * _b2fb) failed connection GSSAPI: not enough memory is available to complete this application

  2015 12-28 T 20: 21:15.627 + 01:00 ERROR (B 0, 08-04 B 8) < ajp-nio-8009-exec-8 > [GssapiHandler] (SESSION: a774_ * _b2fb) cannot close the context 7 36 d-*-00D 3 with the error: unable to locate the context requested

  2015 12-28 T 20: 21:15.627 + 01:00 ERROR (B 0, 08-04 B 8) < ajp-nio-8009-exec-8 > [GssapiAuthFilter] (SESSION: a774_ * _b2fb) authenticate GSSAPI performance problem - GSSAPI_ERROR: GSSAPI failed: not enough memory is available to complete this application

  The connection to the server has 12 GB of memory in total and 9.5 GB of memory free/available.

  In the windows event log, the following error message appears:

  BROKER_USER_AUTHFAILED_GENERAL

  Failed to authenticate the user < UNAUTHENTICATED >

  Attributes:

  Node = hostnameofconnectionsserver.mydomain.com

  Gravity = AUDIT_FAIL

  Time = Mon 28 Dec 19:51:16 THIS 2015

  Module = broker

  UserDisplayName = < UNAUTHENTICATED >

  Source = com. VMware.VDI.Broker.filters.GssapiAuthFilter

  Recognized = true

  Just tried from a machine arrived in the area via the Security server. Cannot open a session as the current user. We also enabled on the external connections of MFA, but I don't think that should make a difference.

• Not able to connect with the Security Server

  Hello

  IM setting up a demo with view 6 environment, and when I try to connect locally on the servers of connection it works fine, but when I try to connect to the Security server fails with the image below.

  

  The Security server has 2 network cards, now in the DMZ and in production. I guess I should also be able to connect directly to the ip production, but the same error.

  We have disabled the firewall between dmz and prod for troubleshooting, but same problem.

  The image below is the Security Server, the addresses here are the ip 'internet', I guess it's true?

  

  The image below is the connection to server 1, the addresses here are internal, and is the FULL domain name, if it was "internet ip" instead?

  

  If I try on the spot to connect to the ip address of prod on security with internet server explorer, im able to connect, but when I select the office that it will fail "cannot display this page", then shows the 'internet' ip in the address field.

  I guess there is just something simple I've missed... hope you understand my question

  Thanks for the support.

  If you do not already have a look at this description of the display configuration, it covers remote access via security servers as well. Setting up remote access with a view PCoIP 4.6 and newer https://communities.VMware.com/docs/doc-14974

  I guess the fact that you can connect through the servers of connection that the URL you configured in the view administrator for servers in connection is a production local IP address/address?

  External security URL server is also an IP/address of DMZ / external can be solved?

• Problem with USB auto connect with clients that connect through the Security server...

  Lack of VMware View 5.0.1 with 2 servers connection and a security server. When the clients connect directly to the server connection, USB connection works very well... users can use their USB drives and other devices with their VM. The problem occurs when they attempt to use their USB devices when negotiated through the Security server.

  I know that port 32111 (TCP) must be open between the server security and the connection to the server, but even after doing so it does not always work... customers just to get the scrolling message of office in the USB menu initialization.

  Our current facility is:

  External IP address-> DMZ (Security Server)-> connect to server

  Entrust us our firewall config through our ISP (we are not overloaded with scientists here, it's just me, so things like little help my work load). They are certainly not incompetent (or at least were not in the past). I had to open the external 32111 IP port to the DMZ, then of the DMZ to our connection server that is used for external connections. Everything about VMware View works perfectly for the clients that connect this way, but not USB devices.

  One thing I give is if our having a configuration of VLAN dedicated for customers views influence what either. I'm trying to keep an eye on what ports are open that for our firewall for my records, but I do not see where I openly opened ports on the internal side of security server to our internal network. He must have the port opened directly from the internal face of security server of vmware 32111 discovers clients?

  The firewall Guys tell me that they checked over and over that port 32111 is open throughout the. They also said that they tried to telnet 32111 to our security server port and have nothing back (should have gotten garbage at least according to them).

  An idea of the next steps to take? It is obviously a blocked port, I just have no idea why at this stage.

  I know that port 32111 (TCP) must be open between the server security and the connection to the server, but even after doing it still does not work

  This is not what it takes. The agent is listening on the port 32111, you must open the firewall to allow connections to the Security server for the desktop on port 32111 (same thing you must allow RDP and PCoIP).

  Mike

• Where to put the report server ip and port for the Siebel server?

  Hello

  Where to put the report server ip and port for the Siebel server? I have checked the document "Reports Siebel Guide" but does not know where is the configuration section ' ip address of the server and port ' for 'Oracle BI Publisher.

  Note: I have installed BI Publisher, now necessary to define the ip editor and siebel server port.

  Please help, thanks.

  Hello

  Communication between Siebel and BEEP coming through webservices. You must set the Siebel Outboundwebservice 'PublicReportService' address to address BI Publisher.

  Similarly, the address of the webservice Siebel Inbound 'BIPSiebelSecurityWS' will be used by BEEP setting under the security model of Siebel - Siebel end Webservice poin of connecting to Siebel EAI, data inorder of success authenticate the Siebel user to perform the tasks of report being initiate Siebel UI.

  Please go through the integration document attached to the thread "Re: ADVISE WEBCAST: BI Publisher 11g Configuration with Siebel", it is any integration Siebel with BEEP 11g steps. " But if you go through each step, there are details about why we do it. Through this way you can better understand the integration.

  I hope this helps.

  Thank you
  Maria