Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1097
Views
0
Helpful
6
Replies

Can use GSLB for anyconnect saml authenticate for 2 Site ASA

jewfcb001
Level 4
Level 4

‎02-20-2023 07:49 PM - edited ‎02-20-2023 11:16 PM

Hi All ,
As picture below .  I would like to know in diagram Can deploy or not ? 
I have 2 ASA and 2 Site . If I use load balance for query DNS and map 1 domain with 2 IP Public for VPN 
and do saml authenticate Can I deploy this scenario ? I worry about certificate because in configuration SAML authentication need individual certificate for configure on Azure and ASA. Please suggest me. 

jewfcb001_0-1676951379673.png

Thank you for help.

 

Labels:
0 Helpful
6 Replies 6

jewfcb001
Level 4
Level 4

‎02-21-2023 10:24 PM - edited ‎02-21-2023 10:24 PM

I would like someone to help. 

0 Helpful

trodecke
Level 1
Level 1
In response to jewfcb001

‎02-25-2023 08:58 PM

I can't speak for Azure but with Okta,  if you follow their instructions,  they have you create the certificate on the ASA itself so it would essentially be a self signed certificate.  What we do is use a public certificate authority (DigiCert) for the ASAs.  Once the cert is installed on one,  you can export it (with the RSA key) and re-import it on the second ASA.  That way you can have the same FQDN and matching certificate, on two different ASAs.

0 Helpful

jewfcb001
Level 4
Level 4

‎09-19-2023 01:52 AM

@trodecke 
you mean can use one certificate for two ASAs (trustpoint sp xxxx-CERT) ? 

0 Helpful

trodecke
Level 1
Level 1

‎09-19-2023 08:13 AM

Yes, that's what we do.  Although,  we do not use the ASA's native load balancing mechanism.  Ours are behind F5 load balancers so the individual ASAs don't necessarily know about each other.  However,  specific to the certificate,  yes, we create the CSR on one ASA and obtain the certificate, then import the same certificate to the second ASA.  I suppose the same process would work for a self signed cert,  export it from one ASA then import the cert on the second ASA.

0 Helpful

jewfcb001
Level 4
Level 4
In response to trodecke

‎09-19-2023 08:23 PM

@trodecke 
I have question about Load Balancing . Do I  necessary configure IP of outside interface with same subnet with other ASA ? 
I see some information describe necessary to configure . Please see below. 
"With VPN Load balancing, a set of ASA firewalls are configured to share a common VIP address. All firewalls must share the same outside or public subnet."


0 Helpful

trodecke
Level 1
Level 1

‎09-20-2023 04:18 AM

I can't speak to that directly as that's not how we load balance ours.  We use F5 load balancers.  However,  I do believe if you're going to the ASA's native load balancing, then it makes sense that they would need to be in the same subnet as the virtual IP would need to be hosted by either of the ASAs.

0 Helpful
Customers Also Viewed These Support Documents