Secure communications between CAS and CAM
No SSL errors for users going through CAS
No SSL errors for admins going to CAS/CAM admin pages -- even when connecting to individual servers in an HA pair (rather than the service IP or name)
Support for AD SSO
Serveral CAS HA pairs (various mixed in-band and out-of-band deployments) and one CAM HA pair (soon to be on 4.7(2)). To simplify, let's use these:
CAS1 and CAS2 are an in-band CAS HA pair (supports VPN and wireless networks)
CAS3 and CAS4 are an out-of-band CAS HA pair (supports users on wired switches)
CAM1 and CAM2 are the HA CAM pair
Client devices running Mac OS X (10.4 and 10.5), Windows XP, Windows 7 (mostly on latest agent)
Certificates must be issued by an already deployed PKI (based on Microsoft Certificate Services)
1. Does anyone have a clever naming scheme (or IP addressing scheme) for the Service Name?
2. The certificate subject will match the FQDN that resolves to the Service IP, but should I include the IP addresses (of the individual servers in the HA pair), FQDNs, both, or neither in the subject alternate name attribute?
3. Is there any reason to include just the hostname anywhere in the certificate (as is required by Internet Explorer and various Windows processes for IWA)?
4. Would this approach work?
nac1.domain.tld resolves to the Service IP for the CAS1/CAS2 pair. The certificate for the pair would have a subject of nac1.domain.tld and the following subject alternate names: