If you off-load SSL connections to an intermediate server, you must import the intermediate server's certificate onto the View Connection Server instances or security servers that connect to the intermediate server. The same SSL server certificate must reside on both the off-loading intermediate server and each off-loaded View server that connects to the intermediate server.

If you deploy security servers, the intermediate server and the security servers that connect to it must have the same SSL certificate. You do not have to install the same SSL certificate on View Connection Server instances that are paired to the security servers and do not connect directly to the intermediate server.

If you do not deploy security servers, or if you have a mixed network environment with some security servers and some external-facing View Connection Server instances, the intermediate server and any View Connection Server instances that connect to it must have the same SSL certificate.

If the intermediate server's certificate is not installed on the View Connection Server instance or security server, clients cannot validate their connections to View. In this situation, the certificate thumbprint sent by the View server does not match the certificate on the intermediate server to which Horizon Client connects.

Do not confuse load balancing with SSL off-loading. The preceding requirement applies to any device that is configured to provide SSL off-loading, including some types of load balancers. However, pure load balancing does not require copying of certificates between devices.

Important

The scenario described in the following topics shows one approach to the sharing of SSL certificates between third-party components and VMware components. This approach may not suit everyone and it is not the only way to perform the task.

1

You must download the CA-signed SSL certificate that is installed on the intermediate server so that it can be imported into the external-facing View servers.

2

You must download the private key that is associated with the SSL certificate on the intermediate server. The private key must be imported with the certificate into the View servers.

3

If you obtained a certificate and its private key in PEM or another format, you must convert it to PKCS#12 (PFX) format before you can import the certificate into a Windows certificate store on a View server. PKCS#12 (PFX) format is required if you use the Certificate Import wizard in the Windows certificate store.

4

You must import the SSL server certificate into the Windows local computer certificate store on the Windows Server host on which the View Connection Server instance or security server service is installed.

5

To configure a View Connection Server instance or security server to recognize and use an SSL certificate, you must modify the certificate Friendly name to vdm.

6

You must import the root certificate and any intermediate certificates in the certificate chain into the Windows local computer certificate store.