Overview

An SSL certificate issued by a trusted public certificate authority is required for AppsAnywhere, to secure access, and so that users accessing your app store on personal devices do not see security warnings in-browser.

The SSL certificates required for the Cloudpaging Admin/License servers and Parallels RAS is used to provide secure communication between the AppsAnywhere and the other services. These certificates can be issued by a trusted internal certificate authority if preferable. 

 It is the customer's responsibility to obtain and maintain up-to-date certificates.

Requirements

AppsAnywhere

The certificate issued must have a ‘common name’ value matching the load balanced AppsAnywhere FQDN (e.g. appsanywhere.uni.edu).

Cloudpaging

The certificate issued must have a ‘common name’ value matching the load balanced Cloudpaging FQDN (e.g. cloudpaging.uni.edu).

Parallels RAS

The certificate issued must have a ‘common name’ value matching the load balanced Parallels RAS FQDN (e.g. parallels.uni.edu).

Analytics

The certificate issued must have a ‘common name’ value matching the Analytics server's DNS entry (e.g. analytics.uni.edu). The server FQDN can be included as a Subject Alternate Name, if required.

Format

We recommend certificates are supplied to Software2 in a .PFX (Personal Information Exchange) format as this format is password protected by default.

Alternatively, separate files for the certificate (.CRT), private key (.KEY) and chain (.CRT) can be supplied if the certificate is not available in a .PFX format.

Any passwords associated with the .PFX and/or .KEY (private key) file must be supplied if required.

If required, see Generating a certificate request (csr).

SSL offloading

By default, we will apply certificates to your servers.

SSL offloading can be used if the SSL certificates for the service will be managed via the load balancer.

All traffic sent to the backend servers from the load balancer must be over HTTPS/443.

AppsAnywhere uses Kerberos (Windows Integrated Authentication) to sign in the user automatically via the Windows Pass Through Single Sign On authentication method. If the Kerberos request is modified by the decryption of the traffic and transmission over HTTP, it will invalidate the request and prevent the user from being signed in automatically.

Load balancing should be configured and operational for a Production environment.

For assistance, see Load Balancer Configuration .

Next Steps

Once the certificates are ready, refer to Applying and Renewing SSL certificates  .