Hello Patrick,

i'm re-uploading the pic. as for the doc, i' had chance to review it but i'm not sure about cerficate installation on second VCS-C2, aslo what sould i add A & SRV Record on on internal and exeternal DNS.

For certificates, refer to the VCS Certificate Creation and Use Deployment Guide (X8.6).

Refer to Appendix 6 of the cluster creation guide regarding how to setup DNS, as well as Appendix 5.  You can configure the SRV records to route traffic to either VCS you choose or both.

hello Patrick,

i really apreciate your help.

these document describe Certificate and SRV on new installation.

in my case i have already have VCS-C/VCS-E for MRA and B2B and they are already configured with SRV (Internal and external DNS). CA trusted certifcate and Server certficat are already uploded to VCS-C  (Single)

now i have brand new VCS-C2, so need to create VCS Cluster and making VCS-C as mater.

i'm confused about the follwed thing

- Do i have to upload the same CA trusted certficate on VCS-C2 and sign CSR with it?

- Since i need to configure a cluster name, should i resign server certficate for VCS-C?

- B2B SRV record that point to VCS-C, should i point them VCS Cluster name now?

regards,

Refer to the "Overview of certificate use on the VCS" section in the certificate guide on pg 3, it goes over what the certificate should contain.  In this case, you're going to need to resign your existing VCS to include the FQDN of the cluster.  Below is taken from the guide.

If the VCS is clustered, with individual certificates per VCS:

• Subject Common Name = FQDN of VCS
• Subject Alternate Names = FQDN of VCS, FQDN of cluster

You can simply add a second SRV record along side the existing records with a lower priority that points to the backup VCS.  An example is described in Appendix 6 of the cluster creation guide, note the guide's example has the SRV records for each VCS peer being equal to allow for each VCS to share the incoming load.

hello Patick,

By resining cert , do you mean re-impoty Root Trusted CA nad Server certificat?

Since i'm clustering only VCS Control, should resign VCE also?

regards,

Server certificate should be fine, as long as you get the certficate from the same CA as the existing one.  You shouldn't have to do anything on the VCS-E certificate, nothing is changing there, but just in case look over the mentioned guides including the MRA guide just to be safe.

hello Patrick,

i was going through MRA configuration. i found these:

Build Expressway-E Traversal Server zone with the “TLS verify subject name” set to “Cluster FQDN

I don't if that would require changin on certificate on VCE.

Since These require a lot of changes (rollback more difficule). i'm thinking about Clustering wihout any changes on cetiticate. just to have replication and registration redundancy ofr endpoint.

hello all,

my customer need to keep the second VCS control for backup only.

i was going through MRA configuration  and found that VCS-E Traversal Server zone with the “TLS verify subject name” need to be set to “Cluster FQDN" instead of VCS-C FQDN. VCS-C certificate alreay includ VCS cluster as SAN.

i have two question:

- Do i have to resign VCS-C or VCS-E on this case?

-  after setting TLS verify subject name” to Cluster FQDN, how can i force MRA request to go through to the master VCS-C first not to VCS-C secondary?

regards,