Skip past navigation linksSecure Global Desktop 4.31 Administration Guide > Security > Multiple DNS names and X.509 certificates

Multiple DNS names and X.509 certificates

If a Secure Global Desktop server is known by different names on the network, for example inside and outside a firewall, you can configure that server to have multiple DNS names. This allows Secure Global Desktop clients to use different DNS names when connecting to a Secure Global Desktop server depending on the IP address of the client device.

If you are using multiple DNS names and you want to enable secure connections, you need an X.509 certificate and key for each DNS name that is being used.

You configure Secure Global Desktop to use multiple X.509 certificates, with the tarantella config edit --tarantella-config-ssldaemon-certfiles "filter" ... command. This command allows you to configure the certificate and key to use for a particular client and server combination. Each filter has the form:

Skip past preformatted text"clientip:clientport:serverip:serverport:keyfile:certfile"

On the command line, enclose each filter in quotes and use a space to separate the filters. You can use wildcards for the ports and IP addresses. The order of the filters is important, as the first matching filter found is used.

Set up your filters to match the same client connections as your server DNS names configuration.

Example

The following example assumes that you have already obtained an X.509 certificate and key for each DNS name, and that Secure Global Desktop is installed in the standard installation directory (/opt/tarantella).

You have configured the DNS names for the Secure Global Desktop server boston as follows:

Skip past preformatted texttarantella config edit --server-dns-external "192.168.5.*:boston.indigo-insurance.com" "*:www.indigo-insurance.com"

To configure the certificates and keys for these names, run the following command:

Skip past preformatted texttarantella config edit --tarantella-config-ssldaemon-certfiles \
 "192.168.5.*:*:192.168.5.24:*:/opt/tarantella/var/tsp/key.pem:/opt/tarantella/var/tsp/cert.pem" \
 "*:*:192.168.10.24:*:/opt/tarantella/var/tsp/externalkey.pem:/opt/tarantella/var/tsp/externalcert.pem"

With this configuration, clients with an IP address beginning 192.168.5 connect to boston.indigo-insurance.com and use the key.pem key and cert.pem certificate for the SSL connection. All other clients connect to www.indigo-insurance.com and use the externalkey.pem key and externalcert.pem certificate for the SSL connection. If the order of the filters was reversed, all clients would use the externalkey.pem key and externalcert.pem certificate for the SSL connection.

Related topics