First off I am a newb to certificates and for that I apologize. In our view environment we have 1 security server and 2 connection brokers. One of our brokers are for internal users (no tunneling) and the other is for External users. When it comes to certificates Do I need to generate two different certs or do I just need one??? Any help clearing up this confusion is appreciated. thanks.
Perry
It depends how you want the users to access the brokers, with the same dns-name or separate.
I would strongly recommend the same, then the users do not have to change anything when they are on the inside/outside.
Then you also need to put the external name in your internal DNS and point it to the private ip of the internal view broker.
If you do it that way you only need one SSL cert.
// Linjo
It depends how you want the users to access the brokers, with the same dns-name or separate.
I would strongly recommend the same, then the users do not have to change anything when they are on the inside/outside.
Then you also need to put the external name in your internal DNS and point it to the private ip of the internal view broker.
If you do it that way you only need one SSL cert.
// Linjo
Thanks Linjo! Does that Cert need to be generated from a particular server???
For your internal View Connection Servers, you have the option to use 1 certificate per server (total of 2) or 1 certificate for both. However, It is important that you use SAN (Subject Alternate Name) certificates if you are accessing them through a Load Balancer.
For your external View Security Server, I would recommend a separate certificate since this is in your DMZ. By the way, if you use the Access Point appliances, which are Linux-based hardened VMs and a replacement for the Windows View Security Server, you eliminate the need to dedicate an internal View Connection Server just for external connections (due to the fact that you have it in tunnel mode). if you decide to use Access Point server(s), all your internal View Connection Servers are configured with no tunneling, and in your case internal users can use either one. More information on Access Point here: Documentation for VMware Access Point
-Rob
Thanks for the info Rob. I will look into that. Currently we use just one cert for the security server. It's time to update the cert so that is the need for the info. thanks again!
Thanks Linjo! Does that Cert need to be generated from a particular server???