Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 1058 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Certificate Question

Darth_Boss

I have 2 XGs configured in an active/standby HA (failover) configuration.  I am enabling HTTPS scanning.  Do network hosts require two certificates--one from the main XG and another from the secondary (standby) XG?  Or will the cert from the main XG work for both?  In other words, in a failover event where the secondary XG takes over, will a host with only the cert from the main XG still be able to access https sites, or does it need a cert from both XGs?  Thanks.



This thread was automatically locked due to age.
  • 0

    Hmmm.  Now I cannot remember what I did, I would think you could do it either way.  When I think about it you should be able to set up the cert to have multiple IPs listed under the common name and then use the same hostname for each if you have your DNS set upright.  And or create a separate cert for each device and load them into the host OS.  

     

    But now I cannot remember what I did lol.  (Not there now) Anyone?

  • 0

    You only need to import 1 (2) CA. 

     

    One for HTTPs Decryption.

    One for the Default Certificate (Most likely block pages etc.). 

     

    But both certificates will be shared between the HA. 

     

    Actually you can generate a CA by yourself in Windows server and upload it to couple of XGs to use them there. 

     

     

     

  • 0 in reply to LuCar Toni

    Thank you LuCar.  I'm not sure I follow... The directions in this article only mention the need for a single certificate that you download from the XG: https://community.sophos.com/kb/en-us/123048  I downloaded this certificate already and pushed it out with group policy.  Without the cert I couldn't access https sites (when https scanning was enabled) but with the cert I could.  

    But you're saying I need two certs?  Where do these come from?  I've never done this before.  Thanks!

  • 0 in reply to Badrobot

    Thank you Badrobot.  Actually, I was following this article https://community.sophos.com/kb/en-us/123048  which said to download SecurityAppliance_SSL_CA from the firewall, which is what I did.  I tested it on my local computer and it worked, so I deployed it with group policy.  Then it occurred to me that it might not work with the standby XG.  I suppose I could trigger HA, enable https scanning, and test it again during off hours.    

  • 0 in reply to Darth_Boss

    There are two different CAs on XG.

    One for the HTTPs Scanning (SecurityAppliance_SSL_CA) and a Default CA. 

    The Default CA is most likely be used for all XG facilities.

    So to speak, the Webadmin Page, the User Portal, Block pages etc. Those pages are using the Default CA. So you would have to import them aswell.