VDA Prepration for External Access
Last updated
Was this helpful?
Last updated
Was this helpful?
At the first move make a *.pfx format certificate of WildCard domain
Add this pfx to windows Certificate management in Personal place and if exist in WebHosting
key manage certificate and access FULL to network mabnaco\administartor
key manage certificate and access READ to network NETWORK SERVICE
Run PowerShell in Admin mode :
after that reboot VDA !
these command should add an alternative name for PC name (HOSTNAME) and make that primary name! and if you have a internal Public DNS name zone, this should be add automatically a dns A record an your internal dns zone but make sure its added to your dns zone, if it doesn't make work automatically, add internal DNS record name for alternative domain in DNS manger in your DC in this example salevda.mbcloud.ir should be reached by internal ip that is 172.16.100.22
Add (mabnaco.local) dns suffix on VDA on right NIC for domain name resolution of MABNACO.LOCAL
Copy Citrix ADML and ADMX files to windows/policydefenetion , it exist on Citrix Installation Media
edit the Policy like below :
After that run gpupdate /force commands in Admin mode
in powershell Admin run Get-ChildItem -Path Cert:\LocalMachine\My it should be show you a tumbfingerprint of alternative domain certificate that you added previously in Personal place.
save this tumbfingerprint we need it in our next commands
Now you should run the Enable-VdaSSL.ps1 PowerShell script that exist in citrix installation media
as you can see we put the tumbfingerprint in quotation in command !
after enter command this will show you 2 question in first you Accept by Y and second is about Firewall config that no necessary for our solution, the Say No by N
Certificate Revocation List (CRL).
A digitally signed list issued by a Certification Authority (CA) that contains a list of certificates issued by the CA that have been revoked. The listing includes the serial number of the certificate, the date that the certificate was revoked, and the revocation reason. Applications can perform CRL checking to determine a presented certificate's revocation status.
To isolate the problem to the Certificate Revocation Check, create the following registry key on the VDA.
Note: This key should be deleted once the actual issue is resolved
HKEY_Local_Machine\System\CurrentControlSet\Control\LSA\Kerberos\Parameters
Value Name: UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors
Value Type: DWORD
Value Data: 1
Description: After you set this DWORD value to 1.
The Kerberos clients (Smartcard logon clients) will ignore "revocation unknown" errors that are caused by an expired CRL if the above registry key is configured.
Add VDA Machine into groups "Windows Authorization Access Group" (Members of this group have access to the computed tokenGroupsGlobalAndUniversal attribute on User objects)
run command in PowerShell in Citrix Controller Server for HDX SSL session enable for a specific DeliveryGroup
before that you should run the asnp Citrix.* in PowerShell Admin
This loads the Citrix-specific PowerShell modules. (Asnp means Add-PSSnapin). Run the Citrix cmdlets. To list all of the available modules, run Get-Command –Module Citrix. * command.
change the DesktopGroupName parameter in your commands , its your VDA server DeliveryGroup name
after that you should go to your StoreFront server and make change in FAS rules and add your VDA in you should run Citrix FAS in Admin mode !
apply this rule and go to VDA and Reboot it !
don't forget add a Valid DNS record for your VDA names in public Domain zone, or example salesvda.mbcloud.ir it should be reached to your Reverse proxy Public IP address that in our solution is FortiWeb!