Solved

vCloud Director Certificates when using NAT

Posted on 2013-05-28
2
576 Views
Last Modified: 2013-06-24
I am getting ready to put my vCloud Director environment into production and would like to make sure the customers do not see certificate issues.

Here is my current setup:
Cloud Director Internal IP: 192.x.x.a
Cloud Proxy Internal IP: 192.x.x.b
Internal Hostname: ods-director

Cloud Director External IP: 64.x.x.a
Cloud Proxy External IP: 64.x.x.b
Access via https:\\vcloud.x.x.x.x

Now, what exactly should I request in my certificates? Do I use the internal or external IPs? The server knows nothing of the external IPs as they are all NAT translated. Also, it does not know of the external web address which customers will use. Help is greatly appreciated on this confusing matter!
0
Comment
Question by:tandersen_ODS
  • 2
2 Comments
 
LVL 31

Assisted Solution

by:Paranormastic
Paranormastic earned 500 total points
ID: 39230735
"Also, it does not know of the external web address which customers will use."  Thank you for including this - this is important to narrow down the answer for your question.

For the load balancer (or whatever is redirecting the traffic to your internal name/IP) - is this addressing the hostname, DNS name, or IP address of the box?  If it is doing it to the IP address(es) then you need to include those.  If it is going to the name instead then you would need to issue it for that name (e.g. ods-director or, more likely the DNS name, ods-director.yourdomain.com).  

If it is by IP address then you need to be able to get your own cert trusted on the box that runs the VIP (64. address) or have the hosting provider for that company issue you a cert for your private 192. IP address since a commercial CA shouldn't be issuing certs to private IP addresses.

If it is by name then you can usually go either way - commercial or privately issued.

If you are using a private cert then you could just shotgun it and put both private IP addresses, the real server hostname, and the real server DNS name into the cert using the "SAN" (Subject Alternate Name) attribute.
0
 
LVL 31

Accepted Solution

by:
Paranormastic earned 500 total points
ID: 39230743
Actually, I should correct myself a little bit from the beginning of my previous answer.  It would also be good to verify with the provider of the NAT that they are configured for using "SSL Offloading", which is how I interpreted your scenario.  In this case, they would terminate the incoming SSL session & then create a second session to your server on the back end.  If this is done by your own company than this may be OK, however if it is done by a hosting company then they may be able to sniff your traffic on that device - this could be a good or bad thing for different reasons (content filtering/data analysis vs. spying)

They could also be using "SSL Bridging" / SSL pass-through which could still obfuscate which IP address it is coming in on.  In this case you would want the cert to be issued for the vcloud name only & would likely need a commercial certificate.

I could only guess for which way things are running - it would be good to check with the network admin for the part that is doing the NAT.  Sorry to add to the confusion.
0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
DNS server picking up wrong IP address of server 10 99
Types of virtual disks, Question? 8 80
VAAI  technology 2 58
Migrating hosts to new vCenter server 5 52
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
There is no doubt that cloud is gaining importance. Many of you must have read about this technology and its growing importance. More and more organisations are embracing this technology not forgetting start-ups. The process begins by dipping …
This Micro Tutorial walks you through using a remote console to access a server and install ESXi 5.1. This example is showing remote access and installation using a Dell server. The hypervisor is the very first component of your virtual infrastructu…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question