patricktam
asked on
SSL certificate for two VPN gateways for the same Domain behind a Load balancer
Our company has two VPN gateways (Or think of it as a Web Server I Guess) behind a Load Balancer for resilience purpose which share the same domain (e.g. vpn.mycompany.com). VPN client will logon to the VPN session thru either one of the VPN gateways.
We need to install SSL certificates for both VPN gateway and purchase the certificates from a well know public CA (e.g. Symantec verisign, godaddy etc.). My questions are as follows:
1) As both VPN gateways share the same domain name, Shall we purchase two SSL certs for each of the VPN gateway from the Public CA. OR just one and install the one cert to both VPN gateways ?
2) When we generate the CSR (Certificate Signing Request) from the Public CA, should we provide the same registration information such as:
Common Name : vpn.mycompany.com
ou: xxx
or unique registration for each VPN gateway such as
vpn1.mycompany.com & vpn2.mycompany.com
Note that the VPN client only login to the VPN using domain vpn.mycompany.com ?
Thank you so much for your technical advice in advance.
Regards
Patrick Tam (System Administrator)
We need to install SSL certificates for both VPN gateway and purchase the certificates from a well know public CA (e.g. Symantec verisign, godaddy etc.). My questions are as follows:
1) As both VPN gateways share the same domain name, Shall we purchase two SSL certs for each of the VPN gateway from the Public CA. OR just one and install the one cert to both VPN gateways ?
2) When we generate the CSR (Certificate Signing Request) from the Public CA, should we provide the same registration information such as:
Common Name : vpn.mycompany.com
ou: xxx
or unique registration for each VPN gateway such as
vpn1.mycompany.com & vpn2.mycompany.com
Note that the VPN client only login to the VPN using domain vpn.mycompany.com ?
Thank you so much for your technical advice in advance.
Regards
Patrick Tam (System Administrator)
I'd use *.mycompany.com or a ucc certificate subject name: vpn.company.com, vpn1.company.com, vpn2.company.com
may want to consider single certificate and in Cisco VPN remote access soln, they termed it Unified Client Certificate (UCC). Hence in LB/Cluster use case, on UCC with multiple SANs (Subject Alternative Name extensions) with each ASA FQDN/IP included.
https://supportforums.cisco.com/document/29886/asa-vpn-load-balancingclustering-digital-certificates-deployment-guide
Another is wildcard whereby both approach can achieve but has their pro and cons. I deployed the SAN to better determine the required (hostname) servers. E.g. During enrollment, asks the CA to include the specified fully qualified domain name in the Subject Alternative Name extension of the certificate.
But do note that in the context of LB, there should be some sticky session to maintain the traffic established to same SSL VPN server. E.g. after the SSL VPN session is opened for a client through any SSL VPN device, additional requests from that client are always ensured to forward to the same SSL VPN device.
https://supportforums.cisco.com/document/29886/asa-vpn-load-balancingclustering-digital-certificates-deployment-guide
Another is wildcard whereby both approach can achieve but has their pro and cons. I deployed the SAN to better determine the required (hostname) servers. E.g. During enrollment, asks the CA to include the specified fully qualified domain name in the Subject Alternative Name extension of the certificate.
But do note that in the context of LB, there should be some sticky session to maintain the traffic established to same SSL VPN server. E.g. after the SSL VPN session is opened for a client through any SSL VPN device, additional requests from that client are always ensured to forward to the same SSL VPN device.
Are you using a loadblancer or using the ASA in an active/active HA cluster setup? or combination of the two?
i.e. use the VIP on each ASA and attach the same certificate to them.
Since they are referenced by a single name, the IP is of no consequence.
each ASA will have four Ips. Management, peer-to-peer and one of two VIps unless the other device is down.
i.e. use the VIP on each ASA and attach the same certificate to them.
Since they are referenced by a single name, the IP is of no consequence.
each ASA will have four Ips. Management, peer-to-peer and one of two VIps unless the other device is down.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.