Solved: Hi, if client will be

NETAD · ‎08-02-2017

Hi guys,

I'm dealing with a customer who's using the outside interface IP of the ASA for the anyconnect vpn instead of a FQDN. He recently got a wildcard cert for his domain name and that's about it what you see in the SAN(subject alternative names) field. My question is would the anyconnect work if we installed the cert for him if he's gonna continue on using the public IP address instead of a fqdn in the anyconnect client?

Thanks

Jernej Vodopivec · ‎08-02-2017

Hi, if client will be connecting to IP address instead of FQDN this will be untrusted connection.

Client couldn't be sure he/she is connecting to trusted server.

Nevertheless if you're not blocking connections to untrusted servers in anyconnect client it would work.

So connecting to FQDN would be the right way.

View solution in original post

Jernej Vodopivec · ‎08-02-2017

Hi, if client will be connecting to IP address instead of FQDN this will be untrusted connection.

Client couldn't be sure he/she is connecting to trusted server.

Nevertheless if you're not blocking connections to untrusted servers in anyconnect client it would work.

So connecting to FQDN would be the right way.

NETAD · ‎08-02-2017

Thanks. He is making a fqdn for his firewall now. One last question he received a subordinate cert and an ssl cert from symantec. Should the ssl cert be installed under the CA Certificates and the subordinate cert in the identity certs where the trustpoint is defined?

AnyConnect Certs and SANs