I've got an active/passive cluster of 2 SA4500FIPS boxes. I generated a CSR and have received the certificate from the certificate authority. I'm not 100% sure which ports to put the certificate on though. I have the choice of physical internal and external ports or the internal and external VIPs.
I've read the following article http://kb.pulsesecure.net/KB9686 which says for an active passive cluster you should put the certificate on the VIP but it doesn't mention anything about the physical ports.
If I put the certificate on the VIPs then it should work for anyone connecting to the VIP address, but what if I connect to one of the real IP addresses - it would give a certificate error wouldn't it? Should I put the certificate on the real ports as well? If so then what's the point of putting it on the VIPs?