Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

vCloud Director Certificates when using NAT

Posted on 2013-05-28
2
Medium Priority
?
588 Views
Last Modified: 2013-06-24
I am getting ready to put my vCloud Director environment into production and would like to make sure the customers do not see certificate issues.

Here is my current setup:
Cloud Director Internal IP: 192.x.x.a
Cloud Proxy Internal IP: 192.x.x.b
Internal Hostname: ods-director

Cloud Director External IP: 64.x.x.a
Cloud Proxy External IP: 64.x.x.b
Access via https:\\vcloud.x.x.x.x

Now, what exactly should I request in my certificates? Do I use the internal or external IPs? The server knows nothing of the external IPs as they are all NAT translated. Also, it does not know of the external web address which customers will use. Help is greatly appreciated on this confusing matter!
0
Comment
Question by:tandersen_ODS
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
2 Comments
 
LVL 31

Assisted Solution

by:Paranormastic
Paranormastic earned 1500 total points
ID: 39230735
"Also, it does not know of the external web address which customers will use."  Thank you for including this - this is important to narrow down the answer for your question.

For the load balancer (or whatever is redirecting the traffic to your internal name/IP) - is this addressing the hostname, DNS name, or IP address of the box?  If it is doing it to the IP address(es) then you need to include those.  If it is going to the name instead then you would need to issue it for that name (e.g. ods-director or, more likely the DNS name, ods-director.yourdomain.com).  

If it is by IP address then you need to be able to get your own cert trusted on the box that runs the VIP (64. address) or have the hosting provider for that company issue you a cert for your private 192. IP address since a commercial CA shouldn't be issuing certs to private IP addresses.

If it is by name then you can usually go either way - commercial or privately issued.

If you are using a private cert then you could just shotgun it and put both private IP addresses, the real server hostname, and the real server DNS name into the cert using the "SAN" (Subject Alternate Name) attribute.
0
 
LVL 31

Accepted Solution

by:
Paranormastic earned 1500 total points
ID: 39230743
Actually, I should correct myself a little bit from the beginning of my previous answer.  It would also be good to verify with the provider of the NAT that they are configured for using "SSL Offloading", which is how I interpreted your scenario.  In this case, they would terminate the incoming SSL session & then create a second session to your server on the back end.  If this is done by your own company than this may be OK, however if it is done by a hosting company then they may be able to sniff your traffic on that device - this could be a good or bad thing for different reasons (content filtering/data analysis vs. spying)

They could also be using "SSL Bridging" / SSL pass-through which could still obfuscate which IP address it is coming in on.  In this case you would want the cert to be issued for the vcloud name only & would likely need a commercial certificate.

I could only guess for which way things are running - it would be good to check with the network admin for the part that is doing the NAT.  Sorry to add to the confusion.
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A customer recently asked me about anti-malware and the different deployment options available for his business. Daily news about cyberattacks, zero-day vulnerabilities, and companies that suffered a security breach made him wonder if the endpoint …
When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
Teach the user how to install log collectors and how to configure ESXi 5.5 for remote logging Open console session and mount vCenter Server installer: Install vSphere Core Dump Collector: Install vSphere Syslog Collector: Open vSphere Client: Config…
This video shows you how to use a vSphere client to connect to your ESX host as the root user. Demonstrates the basic connection of bypassing certification set up. Demonstrates how to access the traditional view to begin managing your virtual mac…

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question