Remote Web Workspace Certificates: Mulitple?

I have a company that utilizes a domain name for access to Remote Web Workspace and they utilize a SSL certificate from a Trusted 3rd Party source. When someone accesses RWW on the LAN, they don't use this external domain name, but instead utilize an internal domain name via an internal DNS server. Since RWW is already utilizing the certificate of the internet accessible domain name, is there any way to have a second cert so that the domain-name mismatch error doesn't occur?
TercestisiAsked:
Who is Participating?
 
ParanormasticConnect With a Mentor Cryptographic EngineerCommented:
You could set up a routing path to do that. That being said, it is not always advisable to do that since technically this would make it so external addresses could route to your internal LAN, which is generally considered an unnecessary security risk.

A better option - you could get a UCC (multi-domain) certificate which supports multiple entries so you could put in the internal and external names, ip addresses, hostname, aliases, whatever.  Most major commercial CA's offer these.  If you just got your cert recently you could probably get a credit back from that towards the new cert.
0
 
swallerCommented:
Can't you just have them access it with the outside url that matches the cert?
0
 
TercestisiAuthor Commented:
I don't think so... the outside url points into the LAN where the request is originating from.
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
Hardeep_SalujaCommented:
create it using ciecw n configure it
0
 
swallerConnect With a Mentor Commented:
Okay. let me rephrase.

You need to have them access it with the outside url.

If that is not working currently, then you need to create an Alias (C Name) or Host record on your DNS to make that work.
0
 
TercestisiAuthor Commented:
Let me rephrase.

To my knowledge you cannot access a server that is on your LAN by using its WAN IP address when the request is originating from within the LAN itself.

I could be wrong...
0
 
TercestisiAuthor Commented:
Looking over their network... they are just accessing the OWA and RWW by typing in the server name http://servername/ 

Would a server certificate that included servername.domain.local be covered by a 3rd party-signed cert? I don't know how that works.
0
 
ParanormasticCryptographic EngineerCommented:
Yes, you can issue a commercial CA cert to whatever you like - IP address, hostname, DNS name, etc.  Usually if they are just using it for internal use, you could check to see if they happen to have their own CA installed (Certification Authorities MMC and try to connect to another machine and browse - if there is it would show up, even if you don't have rights to connect to it).  If they do, these are free.  But if they need both an internal and external facing cert then commercial CA is the way to go with a UCC cert for the least amount of issues.
0
 
TercestisiAuthor Commented:
Does a UCC cert allow for wildcards?  For example I need the cert to cover *.domain.com and servername.domain.local
0
 
swallerCommented:
I think you are making this way too complicated. You already have a Trusted CA cert, why don't you just access the /remote and /exchange with the fqdn that is on the cert???
0
 
TercestisiAuthor Commented:
Swaller... because, as to my knowledge, you can't.  How would you go about accessing an Internet-accessible URL that points to a fqdn that resides on a LAN that you are currently on?
0
 
swallerCommented:
You type it in??? Have you not tried that? That is how every network I manage works. If yours does not resolve to the correct place then add a local DNS record to make it so.
0
 
TercestisiAuthor Commented:
Swaller... that I could do; but you didn't say hat earlier. I was just saying that, sans DNS config, you could not type in an Internet accessible domain and expect it to load in your browser if that domain points to a box located on a LAN you're currently residing on.
0
 
swallerCommented:
You can if the DNS forwarding is set up correctly and you are not using a Cisco router.
0
 
TercestisiAuthor Commented:
We're using a Cisco router...
0
 
swallerCommented:
aha
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.