I need to by a wildcard cert so that we can publish a few servers through MS TMG on a single IP. I've never actually delt with certificates before other than self signed ones.
We have a MS 2008 RDweb server called remote.internaldomain.internal (as it must be joined to the domain) which will have an external name of remote.externaldomain.com, and a debian/apache VLE/Moodle server called by its external name both internally and externally of vle.externaldomain.com.
Will having the RDweb server with an internal hostname upset anything certificate wise? When I come to import the certificate on the 2 servers will it work? Will IIS turn round and say "this certificate isnt for my hostname"?
Last edited by j17sparky; 20th October 2010 at 06:34 PM.
I don`t KNOW this, but isn`t a wildcard cert designed for the situation of *.domain.tld I suspect that the internal domain name could be an issue. Can you proxy the vle content on the TMG box and therefore use an external SSL dns name?
You could then if needed use a self signed ssl cert for internal clients.
I cant see the VLE being a problem as it is already named by its external address, plus you can name your web server to whatever you want in apache. Can you do this in IIS? I cant seem to find an option to do it. Bloody MS GUI crap, give me a plain text config file any day!
Interally I dont really care tbh, infact i dont think ive even changed the link from http to https for the VLE.
The way we overcame it was
- Install the wildcard SSL certificate on the RDWeb Sever
- Get the RDWeb Server to use the certificate
- Create an A record for remote.externaldomain.com with the IP of the RDWeb server
- Edit the TMG Rule for RDWeb and when it asks for the computer name or IP to resolve enter remote.externaldomain.com
This will keep the certificate chain intact.
Last edited by j17sparky; 21st October 2010 at 10:38 AM.
The certificate will install but you need to refer to the machine internal and external as remote.externaldomain.com so you don't get a certificate warning in IE etc
So you'll want to create another domain within DNS on your boxes really called <external.domain.com> then add an entry in there for the internal ip address of the server remotemachine (Host A record) make sure all of the PCs internally use the external website name and it'll resolve with the internal ip address but will keep the SSL Cert from causing an error has the added benefit of the staff and students only needing to know the one address as well. We've had to do this with about 6 internal servers soon to be growing to 9 (I don't want to buy single SSL certs for all of these and of course I'm bound to add more later).
There are currently 1 users browsing this thread. (0 members and 1 guests)