11-19-2010 02:59 AM
Dears,
In a scenario of "SSL VPN+Citrix", we are facing a problem that ASA5540 re-writes the SSLProxyHost in ICA file to the IP address of Outside of 5540. Is there any way to re-writes the SSLProxyHost to a FQDN in ASA5540, like "vpn.test.com:443". I didn't find it in user guide.
Thanks,
-Alejin
11-19-2010 05:37 AM
HI Alejin,
Are you using a Self-Signed Certificate for the External ASA interface ? And is the CN field of the certificate is set to the IP Address of the ASA ?
If you are then please re-create another Self-Signed (Or External if you are using an External CA) where the CN field is equal to the FQDN of the ASA. The re-write function takes the CN field of the external SSL Certificate when writing the SSLProxyHost.
Thanks,
Naman
11-21-2010 07:09 PM
Hi Naman,
Thanks for the information.
Unfortunatelly, we're using local user database with password to authenticate ssl client.
So in this scenario, is there any work around to re-write the entry of SSLProxyHost? I checked ASA user guide, but failed to find anything related for that. What I want to do is to replace the IP address with a FQDN in SSLProxyHost.
It seems I can create a self-signed certificate assinged to outside interface where the ssl vpn terminates, does that make sense? I don't have the lab testing it.
Thanks,
-Alejin
11-22-2010 08:29 AM
Hi Alejin,
It doesn't matter that you are using Local Authentication.
You are right, you just need to create a Self-Signed certificate and assign it to the Outside ASA interface, just make sure that when creating the self-signed certificate you are using the FQDN as the CN
E.g. subject-name=myasa.domain.com
Thanks,
Naman
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide