cancel
Showing results for 
Search instead for 
Did you mean: 

Passthrough Proxy Virtual Hostname certificate requirements

SOLVED
Highlighted
New Contributor

Passthrough Proxy Virtual Hostname certificate requirements

Hello guys and gals,

A client of mine is being rather persistent about using a FQDN in the cert for a Passthrough Proxy setup that makes use of the Virtual Hostname. Based on all the info I have gleaned regarding the certificates and the bits I know about using Passthrough Proxies, making use of Virtual Hostnames requires the following:

1. Either use a wildcard cert to match the domain, in the case of this particular client it will have to be, *.remote.domain.com, with the FQDN for the passthrough being, passthrough.remote.domain.com

2. Or if you do not have a wildcard certificate you can use another IP address and what I assume to be the full FQDN cert (this is something I picked up off of one of zanyterp's replies in another post).

The problem I have is this, the client is being persistent in wanting to use a full FQDN for the passthrough cert with the FQDN DNS entry pointing to the SA. Unfortunately I do not know enough about the shortcomings Virtual Hostname nor exactly why this would not work and so I'm not able to answer the client's query to a point that he would stop and just generate a wildcard cert for the 'remote' subdomain as I have suggested.

Would one of you be able to enlighten me as to why the above would not work?

Regards,

Alan

6 REPLIES 6
Respected Contributor

Re: Passthrough Proxy Virtual Hostname certificate requirements

Hi AlanTen,

 

With virtual hostname based passthrough proxy, you need the following to avoid cert errors (sorry if I caused confusion elsewhere):

1) A virtual port on either the internal port or external port (or both, depending on what users connect against)

2) a certificate that will match on the new hostname (either wildcarded or host-specific)

3) DNS entry for the new hostname

 

If the customer wants to point the new FQDN to the same IP, that is fine BUT users will receive a certificate warning. The reason for this is that only one certificate can be used per port. If they already have a wildcard certificate I can see it being theoretically possible to match on that without needing a separate virtual port on the IVE.

 

Does that help at all?

New Contributor

Re: Passthrough Proxy Virtual Hostname certificate requirements

If I understand you correctly the certs are assigned per port (IP/Interface) and in order to present a certificate other than the certificate tied to the (physical) External Interface of the SA one needs to either replace the assigned cert with a wildcard cert or set up a new Virtual Port (vIP) and assign a certificate matching the desired FQDN of the to the new Virtual Port IP?

Respected Contributor

Re: Passthrough Proxy Virtual Hostname certificate requirements

Yes, you are correct. I am not sure which of the scenarios your customer is looking to try, but you have the correct understanding of what is happening.

New Contributor

Re: Passthrough Proxy Virtual Hostname certificate requirements

Thanks Zany, based on the my understanding I have given the client two options as to how to achieve his goals. At the moment they are using a Virtual Hostname with no cert to match the Virtual Hostname so the solutions I suggested are:

The first of which is to set up a Virtual Port that can be used by the Passthrough Proxy instead of the Virtual Hostname and to then use a specific hostname cert such as passthrough.remote.domain.com or a wildcard cert based on the sub-domain *.remote.domain.com

The second is to replace their current cert, remote.domain.com, with a wildcard cert for the domain, but since there is already a wildcard cert issued and used elsewhere in their organization I suggested that they get a cert from a different CA than the one who issued other wildcard cert.


Respected Contributor

Re: Passthrough Proxy Virtual Hostname certificate requirements

Yup, you are correct.

 

Good luck!

New Contributor

Re: Passthrough Proxy Virtual Hostname certificate requirements

Thanks ^^