Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Do I need a Public Certificate or just public DNS/IP

Created: 11 Jan 2013 | 3 comments
D4rrell's picture

Hi,

just wondering if any one can help me out.

Current Environment:

2 Universal servers sitting as a cluster in DMZ with NAT address to internal corp network. This is a purely WDE installation and no encrypted email consumers.

Problem

I need to allow external (home based) WDE machines to update over the internet to a pair of Universal Servers sitting in the DMZ.  I do nto have the luxury of a VPN.

Do I need to obtain just an external IP address and DNS that points to a NAT which will be configured for both servers or would I need to obtain an SSL cert?

Hope someone can help.

Cheers!

Comments 3 CommentsJump to latest comment

SMLatCST's picture

In theory, you could get by without... but it would mean that any communications the clients make back to the UN will be in clear text and readable by anyone.

As the comms are going to be going through the Internet, then you'd probably want the comms encrypted with SSL

D4rrell's picture

SML, thanks for the answer. 

So its fully acceptable for a WDE only client to talk to the UN over the Internet to download policies and upload logs over 443/SSL. 

Using Home user was a bad term, its to supp port mobile and home users.

I guess then the Server name in the policy (Keys.Domain.com) will need to be the same for internal and external as they could be laptops that work internally and go externally. 

Unfortunately there is no VPN so cannot connect that way life would be simple if that was there.

Maybe I should get CSTL to do a few days consultancy for me.

SMLatCST's picture

No worries, happy to help

And yes, the UN supports communications with PGP Desktop Clients over SSL encrypted commns.  In fact, SSL certs are used in various parts of the UN (especially the mail side of things).

The names on the cert do not necessarily have to match, as the UN supports cert extensions for multiple names.

Feel free to get in touch with us, we're happy to work with other partners wink