<html><body><div style="font-family: Verdana; font-size: 10pt; color: #000000"><div><br></div><div>Our lab expressway cluster is on it's way to be completed... only thing missing is the certificates.</div><div><br></div><div>I read up a little on the archives, but still not so clear.</div><div><br></div><div>We're going to be getting individual certs for each Exp-C and Exp-E member (a cluster of 2xC, 2xE).</div><div><br></div><div>I don't believe I need any SANs for the Exp-C. But I'm not sure if I need the cluster name in the certificate.</div><div><br></div><div><ul><li>CERT 1: CN=exp-c-a.acme.com, SAN=exp-c-cluster.acme.com</li><li><span style="font-size: 13.3333px;" data-mce-style="font-size: 13.3333px;">CERT 2: CN=</span>exp-c-b.acme.com, <span style="font-size: 13.3333px;" data-mce-style="font-size: 13.3333px;">SAN=exp-c-cluster.acme.com</span></li></ul></div><div><br></div><div>For the Exp-E, I'd like to add the hostname for the outside interface, as well as the CNAME for the services domain, and the CNAME/ALIAS I'm using for the collab-edge resolution.</div><div><div style="font-size: 13.3333px;" data-mce-style="font-size: 13.3333px;"><ul><li>CERT 1: CN=exp-e-a.acme.com, SAN=exp-e-cluster.acme.com, exp-e-a-out.acme.com, myjabber.acme.com, proxy-a.acme.com</li><li><span style="font-size: 13.3333px;" data-mce-style="font-size: 13.3333px;">CERT 2: CN=</span>exp-e-b.acme.com, <span style="font-size: 13.3333px;" data-mce-style="font-size: 13.3333px;">SAN=exp-e-cluster.acme.com, <span style="font-size: 13.3333px;" data-mce-style="font-size: 13.3333px;">exp-e-b-out.acme.com, <span style="font-size: 13.3333px;" data-mce-style="font-size: 13.3333px;">myjabber.acme.com, <span style="font-size: 13.3333px;" data-mce-style="font-size: 13.3333px;">proxy-b.acme.com</span></span></span></span></li></ul></div></div><div><br></div><div>In our use case, _collab-edge SRV records resolve to proxy-a and proxy-b, and those resolve to the exp-e-a-out and exp-e-b-out interfaces respectively.</div><div><br></div><div>Anything special to get off-prem hardware devices like the 88/98xx , DX and SX to work properly via MRA?</div><div><br></div><div><span name="x"></span>---<br>Lelio Fulgenzi, B.A.<br>Senior Analyst, Network Infrastructure<br>Computing and Communications Services (CCS)<br>University of Guelph<br><div><br></div>519‐824‐4120 Ext 56354<br>lelio@uoguelph.ca<br>www.uoguelph.ca/ccs<br>Room 037, Animal Science and Nutrition Building<br>Guelph, Ontario, N1G 2W1<span name="x"></span><br></div><div><br></div></div></body></html>