This was a particularly difficult one to resolve. Dealing with maintenance windows and lack of a testing environment makes things particularly stressful. In the end pay close attention to what address the SSL certificate is issued to. In my case the common name was issued to an old url that was no longer used in day to day work, but had a dns entry published to point to the old IP address. The old ip address (also not used in day to day talks) was added as an additional ip to the working secure gateway. We wanted to add some redundancy to the setup by adding an additional SG. The problem was that when the new SG would check it's certificate, it would resolve to the IP of the other SG and route traffic though it. The fix?
adding a host entry to the local host file of the new SG to map the common name url to the new SG ip address. Effectively keeping the traffic on the new SG.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment