This is not the latest version of Ivanti Workspace Control documentation.View available documentation.
Relay server certificates
Encryption
Communication between Agents and Relay Servers and between Relay Servers is encrypted using Transport Layer Security (TLS).
For more details, see Communication encryption and certificates.
Certificates
For the connection between an Agent and a Relay Server and between Relay Servers, custom certificates can be used.
To use custom certificates, the following registry values can be used:
CustomCertificate
Mandatory for using custom certificates.
Specifies the value that is used to identify the custom certificate by, in the certificate store. By default, the Relay Server will compare this values against the custom certificate's Subject name in the Personal folder in the certificate store.
Optionally, one or both values can be changed by setting the following registry values:
CustomCertificateFindBy
Specifies another property than Subject name to identify the custom certificate by, in the certificate store. Possible values are Thumbprint and Serial number. The values for Thumbprint and Serial number (provided at CustomCertificate) may not contain any spaces.
CustomCertificateStore
Specifies a different folder than Personal in the certificate store to be used by the Relay Server when looking for the custom certificate in the certificate store. For non-English versions of Microsoft Windows, the Microsoft Windows internal folder names must be specified for Data.
The supported Microsoft Windows internal folder names are specified below:
|
Microsoft Windows internal folder name |
Name of folder on an English Microsoft Windows Operating System |
|---|---|
|
Root |
Trusted Root Certification Authorities |
|
CertificateAuthority |
Intermediate Certification Authorities |
|
TrustedPublisher |
Trusted Publishers |
|
Disallowed |
Untrusted Certificates |
|
AuthRoot |
Third-Party Root Certification Authorities |
|
TrustedPeople |
Trusted People |
|
AddressBook |
Other People |
All three registry values must be set in the RelayServer folder at HKLM\Software\RES\Workspace Control.
The Subject name on the custom certificate must match the Fully Qualified Domain Name (FQDN) that Agents use to connect to a Relay Server (configured at Administration > Agents, on the Settings tab).
If the custom certificate cannot be found, or is not valid or trusted in some way, an entry will be logged in the Windows event log and connecting to the Relay Server will not be possible.
Please note that if the registry value CustomCertificate (and optionally CustomCertificateFindBy and CustomCertificateStore) has not been specified, a self signed certificate will be used for the connection between Agents and Relay Servers, and between Relay Servers.
Ivanti recommends using self-signed certificates only for testing purposes, not in a production environment.
To disallow the use of a self-signed certificate for the connection between an Agent and a Relay Server, set the following registry value:
-
DoNotAcceptSelfSignedCert- set this registry value at HKLM\Software\RES\Workspace Control (32-bit) / HKLM\Software\Wow6432Node\RES\Workspace Control (64-bit).
To disallow the use of a self-signed certificate for the connection between Relay Servers, set the following registry value:
-
DoNotAcceptSelfSignedCert - set this registry value at HKLM\Software\RES\Workspace Control\RelayServer.