VDA Prepration for External Access

At the first move make a *.pfx format certificate of WildCard domain

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt

Add this pfx to windows Certificate management in Personal place and if exist in WebHosting

key manage certificate and access FULL to network mabnaco\administartor

key manage certificate and access READ to network NETWORK SERVICE

Run PowerShell in Admin mode :

netdom computername salevda  /ENUMerate

netdom computername salevda  /add:salevda.mbcloud.ir

netdom computername salevda  /MakePrimary:salevda.mbcloud.ir

after that reboot VDA !

these command should add an alternative name for PC name (HOSTNAME) and make that primary name! and if you have a internal Public DNS name zone, this should be add automatically a dns A record an your internal dns zone but make sure its added to your dns zone, if it doesn't make work automatically, add internal DNS record name for alternative domain in DNS manger in your DC in this example salevda.mbcloud.ir should be reached by internal ip that is 172.16.100.22

Add (mabnaco.local) dns suffix on VDA on right NIC for domain name resolution of MABNACO.LOCAL

Copy Citrix ADML and ADMX files to windows/policydefenetion , it exist on Citrix Installation Media

edit the Policy like below :

After that run gpupdate /force commands in Admin mode

in powershell Admin run Get-ChildItem -Path Cert:\LocalMachine\My it should be show you a tumbfingerprint of alternative domain certificate that you added previously in Personal place.

save this tumbfingerprint we need it in our next commands

Now you should run the Enable-VdaSSL.ps1 PowerShell script that exist in citrix installation media

.\Enable-VdaSSL.ps1 -Enable -CertificateThumbPrint "0BE10B3DC2108F7DE5EE41CEE98424BAF15FC636" -SSLPort 4346

as you can see we put the tumbfingerprint in quotation in command !

after enter command this will show you 2 question in first you Accept by Y and second is about Firewall config that no necessary for our solution, the Say No by N

.\Enable-VdaSSL.ps1 -Enable -CertificateThumbPrint "0BE10B3DC2108F7DE5EE41CEE98424BAF15FC636" -SSLPort 4346
Enable TLS/DTLS to the VDA
Running command Enable-VdaSSL to enable or disable TLS/DTLS to the VDA.
This includes:
        a.Disable TLS/DTLS to VDA or
        b.Enable TLS/DTLS to VDA
                1.Setting ACLs
                2.Setting registry keys
                3.Configuring Firewall



Configure ACLs
Are you sure you want to perform this action?
This will grant TermService read access to the certificate.
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): Y
ACLs set.


Configure Firewall
Are you sure you want to perform this action?
This will delete any existing firewall rules for port 4346 and disable rules for ICA, CGP and Websocket services.
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): N
Firewall configuration skipped.
Setting registry keys...
Registry keys set.



Configure firewall manually or re-run the script to complete enabling SSL to VDA.

Certificate Revocation List (CRL). A digitally signed list issued by a Certification Authority (CA) that contains a list of certificates issued by the CA that have been revoked. The listing includes the serial number of the certificate, the date that the certificate was revoked, and the revocation reason. Applications can perform CRL checking to determine a presented certificate's revocation status. To isolate the problem to the Certificate Revocation Check, create the following registry key on the VDA. Note: This key should be deleted once the actual issue is resolved HKEY_Local_Machine\System\CurrentControlSet\Control\LSA\Kerberos\Parameters Value Name: UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors Value Type: DWORD Value Data: 1 Description: After you set this DWORD value to 1. The Kerberos clients (Smartcard logon clients) will ignore "revocation unknown" errors that are caused by an expired CRL if the above registry key is configured.

Add VDA Machine into groups "Windows Authorization Access Group" (Members of this group have access to the computed tokenGroupsGlobalAndUniversal attribute on User objects)

run command in PowerShell in Citrix Controller Server for HDX SSL session enable for a specific DeliveryGroup

before that you should run the asnp Citrix.* in PowerShell Admin This loads the Citrix-specific PowerShell modules. (Asnp means Add-PSSnapin). Run the Citrix cmdlets. To list all of the available modules, run Get-Command –Module Citrix. * command.

Get-BrokerAccessPolicyRule -DesktopGroupName 'Sales' | Set-BrokerAccessPolicyRule -HdxSslEnabled $true

change the DesktopGroupName parameter in your commands , its your VDA server DeliveryGroup name

after that you should go to your StoreFront server and make change in FAS rules and add your VDA in you should run Citrix FAS in Admin mode !

apply this rule and go to VDA and Reboot it !

don't forget add a Valid DNS record for your VDA names in public Domain zone, or example salesvda.mbcloud.ir it should be reached to your Reverse proxy Public IP address that in our solution is FortiWeb!