We are going to use the UAG with a AD for the SSO of a sharepoint server and a set of 10+ web applications servers behind the UAG, the connections are supposed to be HTTPS; would like to know if the use of wild card server certificate is a mandatory in this kind of environment ? or a server certificate for each application server is also possible for this requirement ?
Thanks a lot !
- Edited by llk1234 Tuesday, January 07, 2014 6:59 AM
it is not mandatory but recommended. The reason for recommendation is, that you can just use 1 trunk for publishing instead of 10 different trunks (10 IPs) if you use a single server SSL cert. E.g. if you use app01.domain.com to app10.domain.com.As an alternative to the wildcard cert you can use a SAN certificate which has all app host names inlcuded. Just in case this makes a price difference.
I would recommend to use the wildcard cert, because UAG configuration and management is much simpler as with the single server certificate and the SAN certificate is inflexible if you want add more apps because you have to request a new certificate if you add a new application.
Hope that helps,
Thanks Lutz for your advice !
As I am new to UAG, would like to know if I create different trunks for each server, can the SSO still able be configure to cover these 10 different HTTPS trunks, if yes, where should this be configured ?
Thanks again !
- Edited by llk1234 Wednesday, January 08, 2014 12:57 AM
Yes, this can be achieved through cross-site single sign-on. http://technet.microsoft.com/en-us/library/ee921441.aspx
As we are going to use client certificate's email in additional to username & password for the authentication,
then according to the cross-site SSO link provided, "client certification authentication" is not supported,
so does it means that I have to use a single HTTPS trunk to cover all the backend servers, and
this will imply that only wildcard or SAN server certificate is needed to use for this requirement ?