vCloud Director Certificates when using NAT

Posted on 2013-05-28
Medium Priority
Last Modified: 2013-06-24
I am getting ready to put my vCloud Director environment into production and would like to make sure the customers do not see certificate issues.

Here is my current setup:
Cloud Director Internal IP: 192.x.x.a
Cloud Proxy Internal IP: 192.x.x.b
Internal Hostname: ods-director

Cloud Director External IP: 64.x.x.a
Cloud Proxy External IP: 64.x.x.b
Access via https:\\vcloud.x.x.x.x

Now, what exactly should I request in my certificates? Do I use the internal or external IPs? The server knows nothing of the external IPs as they are all NAT translated. Also, it does not know of the external web address which customers will use. Help is greatly appreciated on this confusing matter!
Question by:tandersen_ODS
  • 2
LVL 31

Assisted Solution

Paranormastic earned 1500 total points
ID: 39230735
"Also, it does not know of the external web address which customers will use."  Thank you for including this - this is important to narrow down the answer for your question.

For the load balancer (or whatever is redirecting the traffic to your internal name/IP) - is this addressing the hostname, DNS name, or IP address of the box?  If it is doing it to the IP address(es) then you need to include those.  If it is going to the name instead then you would need to issue it for that name (e.g. ods-director or, more likely the DNS name, ods-director.yourdomain.com).  

If it is by IP address then you need to be able to get your own cert trusted on the box that runs the VIP (64. address) or have the hosting provider for that company issue you a cert for your private 192. IP address since a commercial CA shouldn't be issuing certs to private IP addresses.

If it is by name then you can usually go either way - commercial or privately issued.

If you are using a private cert then you could just shotgun it and put both private IP addresses, the real server hostname, and the real server DNS name into the cert using the "SAN" (Subject Alternate Name) attribute.
LVL 31

Accepted Solution

Paranormastic earned 1500 total points
ID: 39230743
Actually, I should correct myself a little bit from the beginning of my previous answer.  It would also be good to verify with the provider of the NAT that they are configured for using "SSL Offloading", which is how I interpreted your scenario.  In this case, they would terminate the incoming SSL session & then create a second session to your server on the back end.  If this is done by your own company than this may be OK, however if it is done by a hosting company then they may be able to sniff your traffic on that device - this could be a good or bad thing for different reasons (content filtering/data analysis vs. spying)

They could also be using "SSL Bridging" / SSL pass-through which could still obfuscate which IP address it is coming in on.  In this case you would want the cert to be issued for the vcloud name only & would likely need a commercial certificate.

I could only guess for which way things are running - it would be good to check with the network admin for the part that is doing the NAT.  Sorry to add to the confusion.

Featured Post

WEBINAR: GDPR Implemented - Tips & Lessons Learned

Join the WatchGuard team on Thursday, March 29th as we recount some valuable lessons learned in weighing the needs of a business against the new regulatory environment, look ahead at the two months left before implementation, and help you understand the steps you can take today!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

As the cloud has become an integral part of enterprises’ workflow worldwide, there is an increasing demand for cloud managed service providers that can bring the expertise to the process and help enterprises maximize their investment in the cloud.
With more and more companies allowing their employees to work remotely, it begs the question: What are some of the security risks involved with remote employees and what actions should we take to secure them?
Teach the user how to join ESXi hosts to Active Directory domains Open vSphere Client: Join ESXi host to AD domain: Verify ESXi computer account in AD: Configure permissions for domain user in ESXi: Test domain user login to ESXi host:
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

619 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question