Joe,
I checked with our VPN engineer. The units can share the same cert. Here is the procedure:
Best Practice Requirement with UCC:
One Unified Client Certificate (UCC) with multiple CNs/SANs (Subject Alternative Name extensions) for each ASA FQDN/IP .
So you need a UCC certificate with the CN for master FQDN or IP, and SANs for each ASA: for ASA-1 FQDN or IP, ASA-2 FQDN FQDN or IP, and so on.
Several vendors support UCC:godaddy.com, entrust.com, verisign,etc.
Note: the ASA cannot generate a CSR with multiple SANS (CSCso70867 ), so you have to have the PKI vendor submit the enrollment for you.
Procedure for deploying UCC:
General Steps:
1. On ASA master configure one trustpoint '' pointing to the virtual/cluster. All ssl outside and ssl outside vpnloadbalanced pointing to that trustpoint
2.Then export that trustpoint as pkcs12
3.Then import the pkcs12 to each ASA member of the cluster
4. configure all ssl outside and ssl outside vpnloadbalanced pointing to the imported trustpoint ''.
Regarding troubleshooting the RDP plugin, our VPN engineer recommend that you open a case with the VPN team as it is pretty involved. It appears the following data may have to be collected.
1) Is the issue seen with an ASA upgrade or is this a new deployment?
2) Is the ASA added as one of the trusted sites in the client's browser?
3) What is the version of the current installed plugin?
4) What type of certs are installed on the ASA: self-signed or third party?
5) Is this an issue with XP SP3 and VISTA SP1?
6) Is the customer trying to RDP into a Vista?
7) Please capture the configuration including SSL versions/settings
8) Enable the event logs for RDP ActiveX?
9) Are there any proxy servers between the client and or ASA?
10) Java debug info:
11) ActiveX debug info
-Kureli
