It's been in the back of my mind that perhaps that's a mismatch still,but, like I said no one complains at me about cert(s), UNTIL I enable the tunnel. Essentially they gave us a newer version of the wildcard. The wildcard cert I have on the UAGs is the same wildcard cert from the same CA as the one out on F5 for the LTMs, but, it does have a different expiration date. The cert hasn't changed, it's still the same wildcard cert. The thing that has me scratching my head about certs though, in particular our wildcard cert, is if I disable tunneling via the UAG, I can get in via PCoIP/BLAST on them. With the boxes checked and coming through the security servers, I can do USB. To re-clarify, our security guys are saying the same firewall rules should be in place for the UAGs on the DMZ, as was the security servers. Hopefully you can spot what we're missing. Hopefully this isn't too crazy to read through. If I check the box for tunnel connections on the brokers, I can get in, but, I won't be able to do USB pass through. I'm testing by bypassing the GTM and going directly to the external LTM. We have all 3 boxes unchecked on the isolated connection brokers.įrom the outside when I try to get in, I get that a tunnel connection could not be established and to try again.For Tunnel Eternal URL we're using the UAG LTM FQDN:8443.For Blast External URL we're using the UAG LTM FQDN:8443.For the PCOIP External URL field we're using the IP of the UAG LTM.Again these LTMs are in front of 2 connection brokers isolated for external access. So the DC1 UAGs are pointed at DC1BrokerLTM, DC2 UAGs are pointed at DC2BrokerLTM.
This way we are not doing any 1 to 1 mapping. Inside that LTM, we have 2 brokers designated for external access. The UAGs are each configured to point at an internal LTM for their Connection Server URL.Under each of those LTMs, are 2 UAG servers. Externally when you hit the GTM, you are handed off to an LTM in either DC1 or DC2. Right now we're focused on externals, so, we'll stick to that. We have all users pointed to a GTM which is split DNS.Let me go over our architecture a bit, see how maybe we're differentiating.
0 kommentar(er)
