locked
IP-HTTPS Certificate Configuration RRS feed

  • Question

  • Hi, everyone.  I have set up the lab and everything works fine.  However, the production environment will use a third-party certificate, and is also load-balanced.  This leads me to ask the following questions:

    1) for the IP-HTTPS certificate, does the cert need to have alternate names?  In other words, do I need to include the two server names as alternate names in order for the certificate to work?

    2) am I correct in thinking that I need to publish the DirectAccess URL to the FIRST public IP address only?

    3) and lastly... how do I go about generating the certificate request?  (I'm a complete newbie, so please bear with me.)  I understand that IIS can be used under certain circumstances.  Does IIS apply in this case?  I ask because I do not see any option to include alternate names when I use IIS.

    Thank you ahead of time for your input.  I greatly appreciate it.

    Tuesday, December 6, 2011 4:54 PM

Answers

  • Hi load balancing means introducting DIP and VIP addresses. FQFN of your certificate name should point to a DNS name corresponding to your first virtual IP address on your load balancer. The same IPHTTPS certificate must be provisioned on each UAG nodes inside the farm.

     

    If you use a third-party certificate, there is no need to publish your internal CRL. AT last, you can use IIS to generate your certificate request.

     

    If you need more information abour DirectAccess deployment in load balancing (NLB scenario), you can follow my blog : http://danstoncloud.com/blogs/simplebydesign/archive/2010/08/11/directaccess-high-availability-with-uag-2010-part-1.aspx

     

    Basics will be the same for HLB.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx
    Tuesday, December 6, 2011 5:18 PM

All replies

  • Hi load balancing means introducting DIP and VIP addresses. FQFN of your certificate name should point to a DNS name corresponding to your first virtual IP address on your load balancer. The same IPHTTPS certificate must be provisioned on each UAG nodes inside the farm.

     

    If you use a third-party certificate, there is no need to publish your internal CRL. AT last, you can use IIS to generate your certificate request.

     

    If you need more information abour DirectAccess deployment in load balancing (NLB scenario), you can follow my blog : http://danstoncloud.com/blogs/simplebydesign/archive/2010/08/11/directaccess-high-availability-with-uag-2010-part-1.aspx

     

    Basics will be the same for HLB.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx
    Tuesday, December 6, 2011 5:18 PM
  • 1) No, the IP-HTTPS certificate does not need alternate names. You choose one public DNS name (directaccess.company.com or whatever you want it to be) and that single IP takes care of the entire farm.

    2) The public DNS name that you decide on points to the primary Virtual IP. For a load balanced environment, you will be moving from 2 public IPs to 4 public IPs (assuming you are running 2 servers, more servers than that and you are looking at more IPs as well)

    4 Public IPs:
    IP1 - Virtual IP #1 (this is where the public DNS record points)
    IP2 - Virtual IP #2 (this must be consecutive of the first VIP)
    IP3 - Dedicated IP #1 - this is the public IP address that is assigned to the physical NIC of Server 1
    IP4 - Dedicated IP #2 - this is the public IP address that is assigned to the physical NIC of Server 2

    3 Internal IPs:
    IP1 - Virtual IP
    IP2 - Dedicated IP #1 - internal IP assigned to the physical NIC of Server 1
    IP3 - Dedicated IP #2 - internal IP assigned to the physical NIC of Server 2

    3) Yes the Certificate Signing Request (CSR) is generated from IIS on the UAG server. Open IIS, go into the "Server Certificates" applet, then click on "Create Certificate Request..." under Actions.

    Have fun!

    Tuesday, December 6, 2011 7:02 PM
  • Whoops, sorry Benoit - I started typing this response a while ago and did not double check for additional posts before I clicked Submit. Didn't mean to double-up on information there :)
    Tuesday, December 6, 2011 7:04 PM
  • Thanks, BenoitS!  This is great information.  Appreciate it!
    Tuesday, December 6, 2011 7:09 PM
  • Thanks for the info, Jordan.  Very useful as well.  It reinforces what I'm thinking, which is a relief.
    Tuesday, December 6, 2011 7:52 PM