12-13-2015 06:57 PM
Howdy,
We are running WSA's and have three interfaces configured, management and two interfaces for web traffic.
The management interface is called: wsa_name.domain.com
P1 is called: wsa_name-inside.domain.com
P2 is called: wsa_name-outside.domain.com
M1 is limited to just management services. P1 is where users connect to via WPAD and P2 connects to the outside world.
My questions is, when I create an SSL certificate for the hosts to enable SSL decryption, what hostname do I use? Is it the management interface name or is it P1's name? I remember reading somewhere that if you get it wrong, it mostly still works but transparent authentication can get muddled up.
12-13-2015 07:07 PM
which host name will be used to connect? both?
12-13-2015 07:14 PM
M1 is restricted to management services only.
P1 is where clients will connect to.
P2 is not accessible for client connectivity.
I'm not sure if I use the M1 hostname (which is the same as the WSA hostname) or P1 hostname. M1 handles authentication services back to active directory so was thinking that was the right one -would I then use FQDN in the SSL common name or just short name?
12-31-2015 05:25 AM
Hi Sonny,
The hostname isn't an issue, from someone cleverer than me, Ken Stieers:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
It has to be a root signing cert in a chain that your workstations will trust... Standard server certs just say "I'm server x", they can't sign certs saying server Y really is server Y...
On the WSA, its creating certs on the fly like a root authority would, one for each https site you're hitting.
You have 3 options:
1.Buy a root cert... http://www.sslshopper.com/article-trusted-root-signing-certificates.html (this can be super expensive)
2.If you're in an MS world, install an Enterprise CA using MS Cert Server (your clients will automatically trust it), generate a root signing cert from it, and put that on the WSA (or grab its root cert and put that on the WSA).
3. Download the Ironport cert and deploy it to all of your clients.