• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 550
  • Last Modified:

SSL certificate for two VPN gateways for the same Domain behind a Load balancer

Our company has two VPN gateways (Or think of it as a Web Server I Guess) behind a Load Balancer for resilience purpose which share the same domain (e.g. vpn.mycompany.com). VPN client will logon to the VPN session thru either one of the VPN gateways.

We need to install  SSL certificates for both VPN gateway and purchase the certificates from a well know public CA (e.g. Symantec verisign, godaddy etc.). My questions are as follows:

1) As both VPN gateways share the same domain name, Shall we purchase two SSL certs for each of the VPN gateway from the Public CA.  OR just one and install the one cert to both VPN gateways ?

2) When we generate the CSR (Certificate Signing Request) from the Public CA, should we provide the same registration information such as:

Common Name : vpn.mycompany.com
ou: xxx

or unique registration for each VPN gateway  such as

vpn1.mycompany.com & vpn2.mycompany.com

Note that the VPN client only login to the VPN using  domain   vpn.mycompany.com ?

Thank you so much for your technical advice in advance.

Patrick Tam (System Administrator)
  • 2
1 Solution
David Johnson, CD, MVPOwnerCommented:
I'd use *.mycompany.com or a ucc certificate subject name: vpn.company.com, vpn1.company.com, vpn2.company.com
btanExec ConsultantCommented:
may want to consider single certificate and in Cisco VPN remote access soln, they termed it Unified Client Certificate (UCC). Hence in LB/Cluster use case, on UCC with multiple SANs (Subject Alternative Name extensions) with each ASA FQDN/IP included.

Another is wildcard whereby both approach can achieve but has their pro and cons. I deployed the SAN to better determine the required (hostname) servers. E.g. During enrollment, asks the CA to include the specified fully qualified domain name in the Subject Alternative Name extension of the certificate.

But do note that in the context of LB, there should be some sticky session to maintain the traffic established to same SSL VPN server. E.g.  after the SSL VPN session is opened for a client through any SSL VPN device, additional requests from that client are always ensured to forward to the same SSL VPN device.
Are you using a loadblancer or using the ASA in an active/active HA cluster setup? or combination of the two?

i.e. use the VIP on each ASA and attach the same certificate to them.

Since they are referenced by a single name, the IP is of no consequence.

each ASA will have four Ips. Management, peer-to-peer and one of two VIps unless the other device is down.
btanExec ConsultantCommented:
the hostname of the eventual one public facing VPN for your client machine to connect needs to be deployed in the LB fronting the two vpn gateways. it should be transparent to client machine with the LB handling that

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now