> For the complete documentation index, see [llms.txt](https://mabna-cloud.gitbook.io/mabnatechtips/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://mabna-cloud.gitbook.io/mabnatechtips/vda-prepration-for-external-access.md).
# VDA Prepration for External Access
At the first move make a \*.pfx format certificate of WildCard domain
```
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt
```
Add this pfx to windows Certificate management in Personal place and if exist in WebHosting
key manage certificate and access **FULL** to network mabnaco\administartor
key manage certificate and access **READ** to network *NETWORK SERVICE*
*Run PowerShell in Admin mode :*
```
netdom computername salevda /ENUMerate
netdom computername salevda /add:salevda.mbcloud.ir
netdom computername salevda /MakePrimary:salevda.mbcloud.ir
```
after that reboot VDA !
{% hint style="warning" %}
these command should add an alternative name for PC name (HOSTNAME) and make that primary name! \
and if you have a internal Public DNS name zone, this should be add automatically a dns A record an your internal dns zone but make sure its added to your dns zone, if it doesn't make work automatically, add internal DNS record name for alternative domain in DNS manger in your DC in this example **salevda.mbcloud.ir** should be reached by **internal ip** that is **172.16.100.22**
{% endhint %}
Add (mabnaco.local) dns suffix on VDA on right NIC for domain name resolution of **MABNACO.LOCAL**
\
Copy Citrix ADML and ADMX files to windows/policydefenetion , it exist on Citrix Installation Media
edit the Policy like below :
After that run `gpupdate /force` commands in Admin mode
in powershell Admin run `Get-ChildItem -Path Cert:\LocalMachine\My` it should be show you a ***tumbfingerprint*** of alternative domain certificate that you added previously in Personal place.
save this ***tumbfingerprint*** we need it in our next commands
Now you should run the ***Enable-VdaSSL.ps1*** PowerShell script that exist in citrix installation media
```
.\Enable-VdaSSL.ps1 -Enable -CertificateThumbPrint "0BE10B3DC2108F7DE5EE41CEE98424BAF15FC636" -SSLPort 4346
```
as you can see we put the tumbfingerprint in quotation in command !
after enter command this will show you 2 question in first you Accept by **Y** and second is about Firewall config that no necessary for our solution, the Say No by ***N***
```
.\Enable-VdaSSL.ps1 -Enable -CertificateThumbPrint "0BE10B3DC2108F7DE5EE41CEE98424BAF15FC636" -SSLPort 4346
Enable TLS/DTLS to the VDA
Running command Enable-VdaSSL to enable or disable TLS/DTLS to the VDA.
This includes:
a.Disable TLS/DTLS to VDA or
b.Enable TLS/DTLS to VDA
1.Setting ACLs
2.Setting registry keys
3.Configuring Firewall
Configure ACLs
Are you sure you want to perform this action?
This will grant TermService read access to the certificate.
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): Y
ACLs set.
Configure Firewall
Are you sure you want to perform this action?
This will delete any existing firewall rules for port 4346 and disable rules for ICA, CGP and Websocket services.
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): N
Firewall configuration skipped.
Setting registry keys...
Registry keys set.
Configure firewall manually or re-run the script to complete enabling SSL to VDA.
```
**Certificate Revocation List (CRL)**.\
\
A digitally signed list issued by a Certification Authority (CA) that contains a list of certificates issued by the CA that have been revoked. The listing includes the serial number of the certificate, the date that the certificate was revoked, and the revocation reason. Applications can perform CRL checking to determine a presented certificate's revocation status.\
\
**To isolate the problem to the Certificate Revocation Check, create the following registry key on the VDA.**\
\
**Note: This key should be deleted once the actual issue is resolved**\
\
`HKEY_Local_Machine\System\CurrentControlSet\Control\LSA\Kerberos\Parameters`\
`Value Name: UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors`\
`Value Type: DWORD`\
`Value Data: 1`\
`Description: After you set this DWORD value to 1.`\
\
The Kerberos clients (Smartcard logon clients) will ignore "revocation unknown" errors that are caused by an expired CRL if the above registry key is configured.
Add VDA Machine into groups "**Windows Authorization Access Group**" \
(Members of this group have access to the computed tokenGroupsGlobalAndUniversal attribute on User objects)
run command in PowerShell in **Citrix Controller Server** for HDX SSL session enable for a specific **DeliveryGroup**
before that you should run the `asnp Citrix.*` in PowerShell Admin \
This loads the **Citrix**-specific PowerShell modules. (**Asnp** means Add-PSSnapin). Run the **Citrix** cmdlets. To list all of the available modules, run Get-Command –Module **Citrix**. \* command.
```
Get-BrokerAccessPolicyRule -DesktopGroupName 'Sales' | Set-BrokerAccessPolicyRule -HdxSslEnabled $true
```
{% hint style="warning" %}
change the **DesktopGroupName** parameter in your commands , its your VDA server DeliveryGroup name
{% endhint %}
after that you should go to your **StoreFront** server and make change in FAS rules and add your VDA in \
you should run Citrix FAS in Admin mode !
apply this rule and go to VDA and Reboot it !
{% hint style="warning" %}
don't forget add a Valid DNS record for your VDA names in public Domain zone, or example **salesvda.mbcloud.ir** it should be reached to your **Reverse proxy Public IP address** that in our solution is FortiWeb!
{% endhint %}
\
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://mabna-cloud.gitbook.io/mabnatechtips/vda-prepration-for-external-access.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.