We will be installing an active/active pair of SA4500s with a hardware load balancer. As with an SSL-based web site, am I correct in thinking that we will need a certificate for both units?
If so, how will this work with the URL we provide users to access the VPN? For example, if we give the users a URL of https://vpn.company.com and we need a certificate on both units, do we create each certificate with a different common name (e.g., vpn1.company.com and vpn2.company.com)? How will that conflict or work with the DNS name that the users enter in their browser?
Thanks and regards.
You will need to generate the private key and CSR on a different machine...... A linux box will work the best. The CSR should be for whatever the load balanced DNS entry is(i.e. vpn.company.com).
The cert will then be installed on each of the VPN boxes AND the load balancer(if you are terminating SSL on the hardware load balancer).
Our load balancer is able to terminate SSL, so it can generate a CSR/key for a certificate. Why would this need to be done from a separate machine? Wouldn't it make more sense to generate the CSR on the load balancer itself?
You can do it on the load balancer if it can export the private keys.
However, you cant generate the cert on the SSL VPN box because you cant export the private keys.