Solved

vCloud Director Certificates when using NAT

Posted on 2013-05-28
2
570 Views
Last Modified: 2013-06-24
I am getting ready to put my vCloud Director environment into production and would like to make sure the customers do not see certificate issues.

Here is my current setup:
Cloud Director Internal IP: 192.x.x.a
Cloud Proxy Internal IP: 192.x.x.b
Internal Hostname: ods-director

Cloud Director External IP: 64.x.x.a
Cloud Proxy External IP: 64.x.x.b
Access via https:\\vcloud.x.x.x.x

Now, what exactly should I request in my certificates? Do I use the internal or external IPs? The server knows nothing of the external IPs as they are all NAT translated. Also, it does not know of the external web address which customers will use. Help is greatly appreciated on this confusing matter!
0
Comment
Question by:tandersen_ODS
  • 2
2 Comments
 
LVL 31

Assisted Solution

by:Paranormastic
Paranormastic earned 500 total points
ID: 39230735
"Also, it does not know of the external web address which customers will use."  Thank you for including this - this is important to narrow down the answer for your question.

For the load balancer (or whatever is redirecting the traffic to your internal name/IP) - is this addressing the hostname, DNS name, or IP address of the box?  If it is doing it to the IP address(es) then you need to include those.  If it is going to the name instead then you would need to issue it for that name (e.g. ods-director or, more likely the DNS name, ods-director.yourdomain.com).  

If it is by IP address then you need to be able to get your own cert trusted on the box that runs the VIP (64. address) or have the hosting provider for that company issue you a cert for your private 192. IP address since a commercial CA shouldn't be issuing certs to private IP addresses.

If it is by name then you can usually go either way - commercial or privately issued.

If you are using a private cert then you could just shotgun it and put both private IP addresses, the real server hostname, and the real server DNS name into the cert using the "SAN" (Subject Alternate Name) attribute.
0
 
LVL 31

Accepted Solution

by:
Paranormastic earned 500 total points
ID: 39230743
Actually, I should correct myself a little bit from the beginning of my previous answer.  It would also be good to verify with the provider of the NAT that they are configured for using "SSL Offloading", which is how I interpreted your scenario.  In this case, they would terminate the incoming SSL session & then create a second session to your server on the back end.  If this is done by your own company than this may be OK, however if it is done by a hosting company then they may be able to sniff your traffic on that device - this could be a good or bad thing for different reasons (content filtering/data analysis vs. spying)

They could also be using "SSL Bridging" / SSL pass-through which could still obfuscate which IP address it is coming in on.  In this case you would want the cert to be issued for the vcloud name only & would likely need a commercial certificate.

I could only guess for which way things are running - it would be good to check with the network admin for the part that is doing the NAT.  Sorry to add to the confusion.
0

Featured Post

ScreenConnect 6.0 Free Trial

Check out the updates in one game-changing release, ScreenConnect 6.0, based on partner feedback. New features include a redesigned UI that improves session organization and overall user experience. See the enhancements for yourself!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Looking for a "Cloud" file server solution 5 71
VMware Storage with no LUN 3 72
Vsphere 6 Lab Setup 4 62
VVmware Horizon View and HA on connection servers 2 11
HOW TO: Upload an ISO image to a VMware datastore for use with VMware vSphere Hypervisor 6.5 (ESXi 6.5) using the vSphere Host Client, and checking its MD5 checksum signature is correct.  It's a good idea to compare checksums, because many installat…
In this article, I will show you HOW TO: Suppress Configuration Issues and Warnings Alert displayed in Summary status for ESXi 6.5 after enabling SSH or ESXi Shell.
This Micro Tutorial walks you through using a remote console to access a server and install ESXi 5.1. This example is showing remote access and installation using a Dell server. The hypervisor is the very first component of your virtual infrastructu…
This video shows you how easy it is to boot from ISO images for virtual machines with the ISO images stored on a local datastore on the ESXi host.

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now