08-21-2014 06:51 AM
My main PA is configured for dual ISP's and I am going to put third party certs for my global protect clients. Do I put two certs on? One for each ISP?
08-21-2014 07:42 AM
Hello Infotech,
You can use the same cert for both ISP.
Thanks
08-21-2014 08:40 AM
Even if the url and IP address are different?
08-21-2014 08:43 AM
it might give you a certificate CN mismatch warning.
08-21-2014 08:56 AM
You can follow the suggestion given by Steven Pulika in the other discussion thread.
08-22-2014 07:12 AM
infotech,
Think of a certificate as belonging to a FQDN - you should have one certificate per FQDN. For example, many people create an A record in their external DNS server for vpn.mycompany.com - then purchase a certificate for vpn.mycompany.com. Via DNS, you can modify the IP behind that URL at anytime, but the certificate will always match the URL.
If you have two separate URLs with different FQDNs, you will need two separate certificates. If you have one FQDN but two IP addresses, you only need one certificate.
08-25-2014 10:17 AM
So if I use the ip address instead of the FQDM it gives me the cert error but I can go ahead and click continue and it still works right? But if I use the FQDn it doesn't give me an error and passes me on to where I am going. Other than the annoying message how is that batter?
08-25-2014 10:27 AM
Hello Infotech,
Yes you are right, its just an cert error, and it will still work. There is a logic behind error.
If user tries to access Site through IP and cert has FQDN than user gets warning that "He might be connected to wrong site because certificate has different CN(FQDN) name".
Basically software is trying to inform user that he might be connecting to fake site. So, now user has chance to relook URL and certificate details to validate the same.
Sometimes Hackers change DNS records. Lets say they change DNS record for bankofamerica.com and point it to their server. Now user is connecting to https://bankofamerica.com, he connects to hackers server. But hackers server gives certificate with different CN name.
Now software prompts user to check certificate, based on certificate CN name he can determine its an attack. So its security mechanism.
Regards,
Hardik Shah
08-25-2014 12:29 PM
Well if I am trying to connect through a global protect client does it really matter if the get the error and have to hit continue. It seems like it would be more usefull if they were found not to have the correct cert on them they would be denied access.
Remoting to a network using global protect is different that going to a wrong web site.
08-25-2014 12:33 PM
Hello Infotech,
GP and accessing website follows same logic as long as certificate is considered.
In your case certificate error doesnt matter, user can still access GP, he just need to accept warning. Let me know if you have further query.
Regards,
Hardik Shah
08-25-2014 12:41 PM
Hello Infotech,
You have an option in GP configuration, if the portal certificate is invalid, the user will not be able to connect to the GP.
FYI:
Thanks
08-25-2014 12:45 PM
Where is the setting located at hulk I don't see it
08-25-2014 12:48 PM
Go to Network > Global Protect > Portal >Agent configuration. There you will get these options.
Thanks
08-25-2014 12:49 PM
I went there and I don't see it
08-25-2014 12:56 PM
Could you please share a screenshot.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
