Hello guys and gals,
A client of mine is being rather persistent about using a FQDN in the cert for a Passthrough Proxy setup that makes use of the Virtual Hostname. Based on all the info I have gleaned regarding the certificates and the bits I know about using Passthrough Proxies, making use of Virtual Hostnames requires the following:
1. Either use a wildcard cert to match the domain, in the case of this particular client it will have to be, *.remote.domain.com, with the FQDN for the passthrough being, passthrough.remote.domain.com
2. Or if you do not have a wildcard certificate you can use another IP address and what I assume to be the full FQDN cert (this is something I picked up off of one of zanyterp's replies in another post).
The problem I have is this, the client is being persistent in wanting to use a full FQDN for the passthrough cert with the FQDN DNS entry pointing to the SA. Unfortunately I do not know enough about the shortcomings Virtual Hostname nor exactly why this would not work and so I'm not able to answer the client's query to a point that he would stop and just generate a wildcard cert for the 'remote' subdomain as I have suggested.
Would one of you be able to enlighten me as to why the above would not work?
Solved! Go to Solution.
With virtual hostname based passthrough proxy, you need the following to avoid cert errors (sorry if I caused confusion elsewhere):
1) A virtual port on either the internal port or external port (or both, depending on what users connect against)
2) a certificate that will match on the new hostname (either wildcarded or host-specific)
3) DNS entry for the new hostname
If the customer wants to point the new FQDN to the same IP, that is fine BUT users will receive a certificate warning. The reason for this is that only one certificate can be used per port. If they already have a wildcard certificate I can see it being theoretically possible to match on that without needing a separate virtual port on the IVE.
Does that help at all?
If I understand you correctly the certs are assigned per port (IP/Interface) and in order to present a certificate other than the certificate tied to the (physical) External Interface of the SA one needs to either replace the assigned cert with a wildcard cert or set up a new Virtual Port (vIP) and assign a certificate matching the desired FQDN of the to the new Virtual Port IP?
Yes, you are correct. I am not sure which of the scenarios your customer is looking to try, but you have the correct understanding of what is happening.
Thanks Zany, based on the my understanding I have given the client two options as to how to achieve his goals. At the moment they are using a Virtual Hostname with no cert to match the Virtual Hostname so the solutions I suggested are:
The first of which is to set up a Virtual Port that can be used by the Passthrough Proxy instead of the Virtual Hostname and to then use a specific hostname cert such as passthrough.remote.domain.com or a wildcard cert based on the sub-domain *.remote.domain.com
The second is to replace their current cert, remote.domain.com, with a wildcard cert for the domain, but since there is already a wildcard cert issued and used elsewhere in their organization I suggested that they get a cert from a different CA than the one who issued other wildcard cert.