Re: [FW1] Load balancing and SSL

Tue, 27 Jun 2000 14:19:27 -0700 




To verify properly, the certificate must match the fqdn that appears in the
address bar of the user's browser.  You can achieve this by either having the
user type it, or linking/redirecting to that URL from another page.  Create your
CSR for the fqdn that you want your users to type and/or the URL you plan to
link to.  The browser doesn't perform any RDNS lookups to verify the cert, which
means that all you need to configure is DNS sufficient to get Joe Internet User
1) to the server 2) with the correct URL.

Hope that helps more than harms ... :)

Dan Hitchcock
Network Engineer





"East, Bill" <[EMAIL PROTECTED]> on 06/27/2000 01:23:31 PM

To:   "'FW-1 Mailing list'" <[EMAIL PROTECTED]>
cc:    (bcc: Dan Hitchcock/CSB)

Subject:  [FW1] Load balancing and SSL





I'm trying to figure out Checkpoint's load balancing feature based on the
documentation and what little I know of SSL. As far as I can tell, the
process will go something like this:

- The browser will request a page from https://207.29.xxx.xxx (a logical
server)
- Firewall-1 will send back a redirect to https://207.29.xxx.yyy (the NAT
address of one or the other of the load-balanced servers)
- The browser will load the page as well as the server's certificate.
- The browser will then compare the fqdn on the certificate to --what?

This is where I have problems. The fqdn that the user entered in the
browser? The RDNS lookup result? If it is the former, then the fqdn on the
server certificate should be that of the logical server. If it's the latter,
it should be the fqdn of the server itself. Obviously this will impact how I
set up the RDNS, not to mention what name I put on the certificate.

If anyone has had experience with this I would appreciate the information.

--
Bill



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================






================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Reply via email to