Dual ISP

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Dual ISP

L4 Transporter

My main PA is configured for dual ISP's and I am going to put third party certs for my global protect clients. Do I put two certs on? One for each ISP?

17 REPLIES 17

L7 Applicator

Hello Infotech,

You can use the same cert for both ISP.

Thanks

Even if the url and IP address are different?

it might give you a certificate CN mismatch warning.

You can follow the suggestion given by Steven Pulika in the other discussion thread.

infotech,

Think of a certificate as belonging to a FQDN - you should have one certificate per FQDN. For example, many people create an A record in their external DNS server for vpn.mycompany.com - then purchase a certificate for vpn.mycompany.com. Via DNS, you can modify the IP behind that URL at anytime, but the certificate will always match the URL.

If you have two separate URLs with different FQDNs, you will need two separate certificates. If you have one FQDN but two IP addresses, you only need one certificate.

So if I use the ip address instead of the FQDM it gives me the cert error but I can go ahead and click continue and it still works right? But if I use the FQDn it doesn't give me an error and passes me on to where I am going. Other than the annoying message how is that batter?

Hello Infotech,

Yes you are right, its just an cert error, and it will still work. There is a logic behind error.

If user tries to access Site through IP and cert has FQDN than user gets warning that "He might be connected to wrong site because certificate has different CN(FQDN) name".

Basically software is trying to inform user that he might be connecting to fake site. So, now user has chance to relook URL and certificate details to validate the same.

Sometimes Hackers change DNS records. Lets say they change DNS record for bankofamerica.com and point it to their server. Now user is connecting to https://bankofamerica.com, he connects to hackers server. But hackers server gives certificate with different CN name.

Now software prompts user to check certificate, based on certificate CN name he can determine its an attack. So its security mechanism.

Regards,

Hardik Shah

Well if I am trying to connect through a global protect client does it really matter if the get the error and have to hit continue. It seems like it would be more usefull if they were found not to have the correct cert on them they would be denied access.

Remoting to a network using global protect is different that going to a wrong web site.

Hello Infotech,

GP and accessing website follows same logic as long as certificate is considered.

In your case certificate error doesnt matter, user can still access GP, he just need to accept warning. Let me know if you have further query.

Regards,

Hardik Shah

Hello Infotech,

You have an option in GP configuration, if the portal certificate is invalid, the user will not be able to connect to the GP.

FYI:

GP-cert.jpg

Thanks

Where is the setting located at hulk I don't see it

Go to Network > Global Protect > Portal >Agent configuration. There you will get these options.

Thanks

I went there and I don't see it

Could you please share a screenshot.

  • 5285 Views
  • 17 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!