Introduction

The RealVNC Connect On-Prem Zone is an optional component of the RealVNC Connect On-Prem Management Console that lets customers with more complex network topologies implement the Management Console in a more structured manner.

Each installed On-Prem Zone will act as a broker for communication between Viewers & Servers and the central On-Prem Management Console. 

Each Zone will be installed with its own set of certificates (as per the install of the On-Prem Management Console) and will present itself as a ‘local version' of the On-Prem Management Console for that network zone.

Example network topology

It will then be responsible for routing all On-Prem Management Console related traffic between Viewers & Servers in that zone to the central On-Prem Management Console. This means that the Viewers & Servers in each zone don’t need a network path to the On-Prem Management Console, only to the On-Prem Zone that they are registered too.

On-Prem Zone is only responsible for routing On-Prem Management Console related traffic. VNC Traffic will remain direct between Viewers & Servers. On-Prem Zone requires a network path to the On-Prem Management Console in order to function correctly.

Zone Creation

Before you can install and configure your On-Prem Zone you must first create the a Zone within the On-Prem Management Console. This can be done by navigating to the Zone section of the On-Prem Management Console and pressing the ‘Add a new zone’ button.

This will open the Zone creation page, where you can specify the Zone name, Description and the URL that will be used within the Zone for access and connectivity to Viewers & Servers. All of these fields are mandatory.

This will generate a unique Access Key for that zone that will then be used during the Installation process.

If your Management Console has been configure to use the HTTP certificate retrieval endpoint then you will have an additional certificate verification hash in this modal, this will be used during the On-Prem Zone installation process to verify the Management Console's SSL certificate.

Installation

To install the On-Prem Zone, first download the MSI installer from within the RealVNC Connect Portal (https://manage.realvnc.com). If a customer doesn’t have access to this resource, the installer can be provided manually.

The On-Prem Zone is designed to run on Windows Server 2022, and in order to function correctly, there must be a network route supporting HTTPS traffic between On-Prem Zone and the the RealVNC Servers and RealVNC Viewers that customers wish to use in this deployment.

As part of the installation, SSL certificates will be required to encrypt traffic be the  On-Prem Zone and the On-Prem Management Console. As with the Management Console, you will have the choice of providing your own SSL Certificate from a Trusted Certificate Authority or the On-Prem Zone Installer can generate an SSL certificate for the On-Prem Zone to use. 

If you plan to provide your own certificates, details of the certificate requirements can be found here. If you are providing your own certificates please ensure these are ready prior to starting installation.

We recommend generating and providing SSL certificates for your On-Prem Management Console and On-Prem Zone from a trusted certificate authority/third party as this is a more secure approach. For testing or small scale deployments utilising the Installer generated certificates is acceptable.

Once the MSI installer has been downloaded installation can be completed.

Step 1: Configuring HTTP Usage

To begin you'll need to configure if your On-Prem Zone will utilise HTTP endpoints for certificate retrieval. 

This should match what is configured for the On-Prem Management Console, e.g. if the On-Prem Management Console is not using HTTP endpoints the On-Prem Zone should also not use the HTTP endpoint

Step 2: Configuring the Management Console details

Please provide the domain URL of the On-Prem Management Console that this On-Prem Zone will be interacting with.

In this screen, you will have the option to update the ports that the linked On-Prem Management Console is using. Please ensure the values match what has been set for the On-Prem Management Console else you will not be able to connect to the Management Console. 

If you have configured your On-Prem Zone to use the HTTP endpoint then you will have the option to update the HTTP and HTTPS port. You will be asked to provide the SHA-256 certificate verification hash that will verify the certificate when it is retrieved from the HTTP endpoint, you can find this in the Zone registration details in your Management Console.

If the On-Prem Zone will not be using the HTTP endpoint you will only have the option to update the HTTPS endpoint. You will be asked to provide the SSL certificate that has been used in the Management Console deployment.

Step 3: Enter On-Prem Zone Domain

Please enter the URL, that you wish for the On-Prem Zone to be served at, please note, this should match the domain name specified within your SSL certificate, if you are providing your own SSL certificates, and entered during Zone registration.

Step 4: Configure Port values

In the fourth screen of the Installer, you will be able to update the ports the On-Prem Zone uses. 

These will be set to default values of:

HTTPS - 443

HTTP - 80 

If you will be using the default values, select continue.

If you are using the HTTP endpoint then you will have the option to update the HTTP and HTTPS endpoints. 

If any applications already in use by your organisation is using either of these ports, then you will need to update these to available ports.

If you are not using the HTTP endpoint you will only have the option to update the HTTPS port.

If you need to update the ports select the "Change port values" radio button, this will make the port fields editable and you will be able to change the values to available ports. 

Step 5: Configuring the SSL Certificates

Installing the On-Prem Zone with your own certificates

In the fourth screen of the On-Prem Zone installer you will be asked how the SSL certificates will configured for secure connections between the On-Prem Management Console and the On-Prem Zone.

If you are providing your own certificates, simply select Continue.

In the next screen, please provide the file/folder location of the certificates you wish to use with this deployment.

 

Once you have provided this, enter the password specified when the SSL certificate was created.

The please provide the file/folder location of the trusted CA bundle you wish to use for this deployment.

Installing the On-Prem Zone with Installer generated certificates

In the fourth screen of the On-Prem Zone Installer, you will be asked how the SSL certificates will be configured for secure connections between the On-Prem Management Console and the On-Prem Zone.

If you require Installer generated certificates, select "Generate new SSL Certificates".

This will make the "Organization Name" field editable, in the field enter the name of the organization you want set as the Issuer Reference on the SSL Certificate.

Once you have entered an Organization Name, select Continue.

Step 6: Enter the Zone Activation Key

Next you will need to enter the Access Key provided by the On-Prem Management Console during Zone Creation.

Step 7: Installation of the On-Prem Zone

The On-Prem Zone will then be installed alongside its required dependencies including Java Runtime environment. Depending on your server administration setup you may be asked to elevate and approve the install of these dependencies.

The installation process will automatically create an inbound firewall rule for the On-Prem Zone called "RealVNC On-Prem Zone".

Once installed the On-Prem Zone should automatically launch. If this fails you can copy the URL from the final screen of the Installer and paste this into your browser.

Once the dependencies have been installed, the core installation process is now completed and the Zone Installation & Registration will be completed. If you visit the Zones section of the On-Prem Management Console you will now see your new zone is marked as Registered, confirming the process has been completed.

Once successfully registered, you can also use the Zone URL to access the On-Prem Management Console ‘via' that zone.

When doing so you will also be granted access to an extra menu item entitled My Zone, where you can validate the configuration of the Zone you are currently on.

Accessing the On-Prem Zone when using Installer Generated SSL Certificates

When the SSL certificate being used by the On-Prem Zone are Installer generated, the SSL certificate will need to be registered as a trusted Certificate Authority (CA) in order for users to access the On-Prem Zone.
 

If the On-Prem Zone deployment is using the HTTP endpoint, you will need to navigate to the certificate set up URL in a HTTP protocol, this will be the domain URL of the On-Prem Zone and /certificate-setup, e.g http://onpremzone.com/certificate-setup, here you will be able to download the certificate and provided with instructions on how to register the certificate with the OS or browser.

If the On-Prem Zone deployment is not using the HTTP endpoints then you will need to gather the SSL certificate from the Deployment page when logged into your On-Prem Zone, this will only be accessible on the device the On-Prem Zone was installed onto when first accessing.

The steps to register the certificate as trusted will vary depending on your operating system or browser, details of registering the SSL certificate as a trusted certificate can be found here.