Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

vCloud Director Certificates when using NAT

Posted on 2013-05-28
2
Medium Priority
?
592 Views
Last Modified: 2013-06-24
I am getting ready to put my vCloud Director environment into production and would like to make sure the customers do not see certificate issues.

Here is my current setup:
Cloud Director Internal IP: 192.x.x.a
Cloud Proxy Internal IP: 192.x.x.b
Internal Hostname: ods-director

Cloud Director External IP: 64.x.x.a
Cloud Proxy External IP: 64.x.x.b
Access via https:\\vcloud.x.x.x.x

Now, what exactly should I request in my certificates? Do I use the internal or external IPs? The server knows nothing of the external IPs as they are all NAT translated. Also, it does not know of the external web address which customers will use. Help is greatly appreciated on this confusing matter!
0
Comment
Question by:tandersen_ODS
  • 2
2 Comments
 
LVL 31

Assisted Solution

by:Paranormastic
Paranormastic earned 1500 total points
ID: 39230735
"Also, it does not know of the external web address which customers will use."  Thank you for including this - this is important to narrow down the answer for your question.

For the load balancer (or whatever is redirecting the traffic to your internal name/IP) - is this addressing the hostname, DNS name, or IP address of the box?  If it is doing it to the IP address(es) then you need to include those.  If it is going to the name instead then you would need to issue it for that name (e.g. ods-director or, more likely the DNS name, ods-director.yourdomain.com).  

If it is by IP address then you need to be able to get your own cert trusted on the box that runs the VIP (64. address) or have the hosting provider for that company issue you a cert for your private 192. IP address since a commercial CA shouldn't be issuing certs to private IP addresses.

If it is by name then you can usually go either way - commercial or privately issued.

If you are using a private cert then you could just shotgun it and put both private IP addresses, the real server hostname, and the real server DNS name into the cert using the "SAN" (Subject Alternate Name) attribute.
0
 
LVL 31

Accepted Solution

by:
Paranormastic earned 1500 total points
ID: 39230743
Actually, I should correct myself a little bit from the beginning of my previous answer.  It would also be good to verify with the provider of the NAT that they are configured for using "SSL Offloading", which is how I interpreted your scenario.  In this case, they would terminate the incoming SSL session & then create a second session to your server on the back end.  If this is done by your own company than this may be OK, however if it is done by a hosting company then they may be able to sniff your traffic on that device - this could be a good or bad thing for different reasons (content filtering/data analysis vs. spying)

They could also be using "SSL Bridging" / SSL pass-through which could still obfuscate which IP address it is coming in on.  In this case you would want the cert to be issued for the vcloud name only & would likely need a commercial certificate.

I could only guess for which way things are running - it would be good to check with the network admin for the part that is doing the NAT.  Sorry to add to the confusion.
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you know what to look for when considering cloud computing? Should you hire someone or try to do it yourself? I'll be covering these questions and looking at the best options for you and your business.
The Internet has made sending and receiving information online a breeze. But there is also the threat of unauthorized viewing, data tampering, and phoney messages. Surprisingly, a lot of business owners do not fully understand how to use security t…
Teach the user how to install log collectors and how to configure ESXi 5.5 for remote logging Open console session and mount vCenter Server installer: Install vSphere Core Dump Collector: Install vSphere Syslog Collector: Open vSphere Client: Config…
This Micro Tutorial steps you through the configuration steps to configure your ESXi host Management Network settings and test the management network, ensure the host is recognized by the DNS Server, configure a new password, and the troubleshooting…

876 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question