Super6VCA
Expert
Expert

General SSL Cert Question

Jump to solution

First off I am a newb to certificates and for that I apologize.  In our view environment we have 1 security server and 2 connection brokers. One of our brokers are for internal users (no tunneling) and the other is for External users.  When it comes to certificates Do I need to generate two different certs or do I just need one???  Any help clearing up this confusion is appreciated.  thanks.

Perry

Thank you, Perry
0 Kudos
1 Solution

Accepted Solutions
Linjo
Leadership
Leadership

It depends how you want the users to access the brokers, with the same dns-name or separate.

I would strongly recommend the same, then the users do not have to change anything when they are on the inside/outside.

Then you also need to put the external name in your internal DNS and point it to the private ip of the internal view broker.

If you do it that way you only need one SSL cert.

// Linjo

Best regards, Linjo Please follow me on twitter: @viewgeek If you find this information useful, please award points for "correct" or "helpful".

View solution in original post

0 Kudos
5 Replies
Linjo
Leadership
Leadership

It depends how you want the users to access the brokers, with the same dns-name or separate.

I would strongly recommend the same, then the users do not have to change anything when they are on the inside/outside.

Then you also need to put the external name in your internal DNS and point it to the private ip of the internal view broker.

If you do it that way you only need one SSL cert.

// Linjo

Best regards, Linjo Please follow me on twitter: @viewgeek If you find this information useful, please award points for "correct" or "helpful".
0 Kudos
Super6VCA
Expert
Expert

Thanks Linjo!  Does that Cert need to be generated from a particular server???

Thank you, Perry
0 Kudos
TitoDz
Enthusiast
Enthusiast

For your internal View Connection Servers, you have the option to use 1 certificate per server (total of 2) or 1 certificate for both. However, It is important that you use SAN (Subject Alternate Name) certificates if you are accessing them through a Load Balancer.

For your external View Security Server, I would recommend a separate certificate since this is in your DMZ. By the way, if you use the Access Point appliances, which are Linux-based hardened VMs and a replacement for the Windows View Security Server, you eliminate the need to dedicate an internal View Connection Server just for external connections (due to the fact that you have it in tunnel mode). if you decide to use Access Point server(s), all your internal View Connection Servers are configured with no tunneling, and in your case internal users can use either one. More information on Access Point here: Documentation for VMware Access Point

-Rob

0 Kudos
Super6VCA
Expert
Expert

Thanks for the info Rob.  I will look into that.  Currently we use just one cert for the security server.  It's time to update the cert so that is the need for the info.  thanks again!

Thank you, Perry
0 Kudos
Super6VCA
Expert
Expert

Thanks Linjo!  Does that Cert need to be generated from a particular server???

Thank you, Perry
0 Kudos