Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1593
Views
0
Helpful
3
Replies

TLS setup questions

mdafforn
Level 1
Level 1

‎05-30-2012 07:32 AM

Hello,

I have a pair of C170's in a cluster, and need to implement TLS for outbound connections to a set of domains.

Currently the appliances have hostnames of ironport1.company.com and ironport2.company.com, externally they are referenced as mail.company.com and mail2.company.com (these are the MX records).

My questions are these:

Do I need to get individual certificates for each C170, or do I install the same cert on both?

Do I need to change the names (either the host names, or external DNS names) to match?

Is there a way to make a destination control a group, instead of individual domains?

Thanks

Mike

Labels:
0 Helpful
3 Replies 3

Ken Stieers
VIP
VIP

‎05-30-2012 07:45 AM

You could use the same cert on both, but you'll want it to match names, so a SAN/UC or a wildcard cert would work... I was unable to puzzle out the RFC enough to be sure if a wildcard cert would be allowed, so I just tried it, and it worked.  You'll want the cert to match the name of the box its on as some people you send mail to will want the cert to be valid.  In that sense its not all that different than a cert on a web server...

I'm not sure about the destination controls... It doesn't look like you can build groups there...

Ken

0 Helpful

mdafforn
Level 1
Level 1
In response to Ken Stieers

‎06-05-2012 07:37 AM

I am curious how you used a wildcard.

What cert name does the cluster use?

Does each individual appliance get it's own name (I would think they would have to so they would match the hostname of incoming connections).

I went down the road of getting individual certs for my two appliances, and they work for the HTTPS part (no longer get cert errors when connecting to the GUI), but when I try to use them for listener setup, I am not sure what to do, as it wants to override the cluster config.

I have the feeling I want to override the cluster settings, and copy from the cluster to edit them.

0 Helpful

Ken Stieers
VIP
VIP
In response to mdafforn

‎06-05-2012 07:48 AM

I don't have a cluster, so I'm not versed on what issue(s) you're having...

I used the wildcard just like any other cert that I would be issued, as far as uploading it... I only applied the cert to the external listener, which has smtp1.domain.com...  Since the cert is good for *.domain.com, it works fine.

0 Helpful
Customers Also Viewed These Support Documents