How do I avoid the red "HTTPS" in server address in the Connection Dialog on a PCoIP Zero Client?
All HP Anyware and VMware View 5.1 or newer has connection security requirements that are supported in PCoIP Zero Client firmware 4.0.0 or newer.
There are multiple scenario's with the certificate check that can result in a warning message and/or a red HTTPS: for the server address in the connection dialog box.
The recommended solution is the HP Anyware Connection, PCoIP Connection Manager, PCoIP Agent or VMware Horizon Connection server certificate is:
- Certificate signed by a trusted Certificate Authority.
- The certificate or the Root Certificate Authority certificate is loaded in the PCoIP Zero Client trusted certificate store.
- The certificate check mode is set to "Never connect to untrusted servers." T
- The PCoIP Zero Client connects using the FQDN that matches the Certificate.
This will result in a green HTTPS and a secure connection to a trusted server.
Note: A certificate check mode of "Do not verify server identity certificates" will always result in a red HTTPS regarding of if the certificate and connection can be verified or not.
Note: The certificate must contain the FQDN name in the subject alternative name as a DNS type and or the IP address of the server. The FQDN or IP address the PCoIP Zero Client uses to connect to the server must match what is in the certificate otherwise the connection will be blocked.
PCoIP Connection Manager, HP Anyware Connector, PCoIP Agent, PCoIP Connection Manager for Amazon Workspaces Scenarios
| Allow connection, No warning, HTTPS (Strikethrough) in server address | Allow connection, Warning displayed, HTTPS (Strikethrough) in server address | Block connection, error displayed | |
Certificate Check Mode: Do not verify server identity certificates |
|||
| PCoIP Zero Client has the server root certificate (server cert not expired) | Yes | ||
| PCoIP Zero Client has the server root certificate (server cert expired) | Yes | ||
| PCoIP Zero Client does not have the server root certificate | Yes | ||
Certificate Check Mode: Warn before connecting to untrusted servers |
|||
| PCoIP Zero Client has the server root certificate (server cert not expired) | Yes | ||
| PCoIP Zero Client has the server root certificate (server cert expired) | Yes | Yes | |
PCoIP Zero Client does not have the server root certificate |
Yes | ||
| Certificate Check Mode: Do not verify server identity certificates | |||
| PCoIP Zero Client has the server root certificate (server cert not expired) | Yes | ||
| PCoIP Zero Client has the server root certificate (server cert expired) | Yes | ||
| PCoIP Zero Client does not have the server root certificate | Yes |
VMware View Scenarios
| Allow connection, No warning, HTTPS (Strikethrough) in VCS address | Allow connection, Warning displayed, HTTPS (Strikethrough) in VCS address | Allow connection, No warning, HTTPS (green) in VCS address | Block connection, error displayed | |
VCS Certificate Check Mode: Do not verify server identity certificates |
||||
| PCoIP Zero Client certificate store empty and trusted server cache is empty (ie after client reset to defaults and no certificates have ever been uploaded) | Yes | |||
| PCoIP Zero Client certificate store empty and trusted server cache is not empty (ie there was previously a valid certificate installed but it was removed) | Yes | |||
| PCoIP Zero Client has the VCS root certificate (server cert not expired) | Yes | |||
| PCoIP Zero Client has the VCS root certificate (server cert expired) | Yes | |||
| PCoIP Zero Client does not have the VCS root certificate | Yes | |||
VCS Certificate Check Mode: Warn before connecting to untrusted servers |
||||
| PCoIP Zero Client certificate store empty and trusted server cache is empty (ie after client reset to defaults and no certificates have ever been uploaded) | Yes | |||
| PCoIP Zero Client certificate store empty and trusted server cache is not empty (ie there was previously a valid certificate installed but it was removed) | Yes, if the VCS is not in the trusted server cache | Yes, if the VCS is in the trusted server cache and presents a different certificate to the cached certificate | ||
| PCoIP Zero Client has the VCS root certificate (server cert not expired) | Yes, and the server is added to the trusted server cache | |||
| PCoIP Zero Client has the VCS root certificate (server cert expired) | Yes, if the VCS is not in the trusted server cache | Yes, if the VCS is in the trusted server cache and presents a different certificate to the cached certificate | ||
| PCoIP Zero Client does not have the VCS root certificate | Yes | |||
VCS Certificate Check Mode: Do not verify server identity certificates |
||||
| PCoIP Zero Client certificate store empty and trusted server cache is empty (ie after client reset to defaults and no certificates have ever been uploaded) | Yes | |||
| PCoIP Zero Client certificate store empty and trusted server cache is not empty (ie there was previously a valid certificate installed but it was removed) | Yes | |||
| PCoIP Zero Client has the VCS root certificate (server cert not expired) | Yes | |||
| PCoIP Zero Client has the VCS root certificate (server cert expired) | Yes | |||
| PCoIP Zero Client does not have the VCS root certificate | Yes | |||
In order to avoid a warning message and/or a red HTTPS: the trusted root certificate for the VCS must be uploaded to the PCoIP Zero Client.
This could be the self-signed, private CA or Certificate Authority certificate that is installed in both the VCS (requires a private key as per VMware documentation) and the PCoIP Zero Client (uses the public key).