09-06-2012 03:44 AM
Hi,
We are in the process of deploying SSLVPN for our company. We already bought two ASA5510 with SSLVPN licenses on both. I am going to install the firewalls into two seperate data centers to provide redundancy. Two different external IPs but we'll publish it with a single URL so we can load-balance. My question is, do we need to purchase two SSL Certificates? Or should we just purchase one and export then import it on the other firewall?
Your thoughts? Thanks in advance.
John
09-06-2012 06:04 AM
Hello John,
You will be able to buy one SSL certificate and then install it in both ASA's.
My suggestions here would be to generate the CSR from one of the ASA's and import the certificate there.
Then, export the certificate from that ASA and import it into the secondary as well.
When you export it from the, let's say, "main ASA" you just need to export it in a PKCS12 format for it to include the private and public keys of the certificate.
In the "secondary ASA", you will need to import it as a PKCS12 file as well.
Let me know if this helps you.
Daniel Moreno
Please rate any posts you find useful
09-06-2012 08:17 AM
Hi Daniel,
Is this the procedure for the export and import?
Thanks,
John
09-06-2012 08:25 AM
John,
Yes, those are the commmands.
It would also be a good idea to look at the feedback that Javier posted since it is very detailed.
Let us know if you have any more questions.
Daniel Moreno
Please rate any posts you find useful
09-06-2012 09:32 AM
I agree with Daniel (5 stars)
Thanks.
09-06-2012 07:01 AM
Hi John,
There are different ways to get this to work with VPN load-balancing.
However, we need to have a good understanding of how this is supposed to work.
When the Master receives a new SSL connection, based on the load-balancing algorithm, it makes the decision to whether redirect the session to another ASA or accept the connection.
The SSL connection will point to the Cluster URL, so you need a certificate for the cluster including the cluster URL in the CN attribute field.
We must keep in mind, that the cluster does not take the connection, but a specific ASA does, so we also need a valid certificate for each ASA.
Now, to solve this issue, I would recommend to you to check on the following link and choose the best option for you:
Keep me posted.
Please rate any post you find useful.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide