Is it possible to setup multiple remote WithSecure connectors with the same self-signed certificate?
Can we configure multiple remote WithSecure connectors to use the same self-signed certificate from one of the connectors? We have several remote sites, each equipped with its own WithSecure connector. However, we've encountered issues with software updates when clients move between sites with different connectors. Our goal is to set up all connectors with a uniform certificate so that endpoints can access software updates from the nearest connector. Is this feasible?
Answers
-
Hi @Ernest_za
Thank you for reaching out to the WithSecure Community.
We appreciate your inquiry, and we are here to clarify that when configuring Elements clients version 23.4 or higher, you have the ability to specify multiple Elements Connectors separated by a semicolon.
For instance:
http://myconnector.local;http://myproxy2.com:8080
By providing multiple Connectors, the Elements client will randomly select one from the list to establish a connection. In case the selected Connector becomes unavailable, it will automatically switch to another available Connector in order to maintain uninterrupted service.
To define multiple Connectors correctly, please ensure their configuration is set in both the General Settings and Software Updater sections of the Elements profile.
You can refer this user guide for more information.
With this setup, when attempting a connection, the client will first try connecting with the first specified Connector in the list. If unsuccessful, it will proceed sequentially through each subsequent Connector until it successfully establishes a connection.
I hope this explanation clarifies how you can leverage multiple Elements Connectors effectively for redundancy and automatic failover within your Elements Connector deployment. Please let me know if there are any further questions or if I can assist you with optimizing this configuration.
Best regards,
Sethu
Community Moderator | Technical Support Engineer
WithSecure™ -
Hi @Sethu Laks,
Thanks for the reply.
The issue I have in configuring as described by the user guide by specifying multiple Elements Connectors separated by a semicolon, is that it will only work for definition updates and not software updates. As software updates require you to install a connector generated certificate that is unique to each connector. We also found that if the client was able to access the first connector over a WAN link, it will start updating from that connector and not its closest connector. We once tried using network location to identify the closest connector, but it also appeared not to work 100% as expected.
We have tried a couple of configurations and are happy to configure multiple profiles, but it would be great if we could deploy a single certificate instead of a unique certificate per site.
-
Hi @Ernest_za
Based on your situation, we would recommend two options for setting up consistent CA certificates across your Connectors:
- Copy the CA certificate (fspms-ca.jks file) to all Connectors and import it on managed hosts per these instructions in this page. This allows each Connector to generate a unique cert signed by the same CA. The CA would need to be renewed every 4 years.
- Obtain a commercial wildcarded certificate and import it to each Connector using these steps. A wildcard cert avoids renewal hassles by covering multiple hostnames.
The commercial wildcard certificate is the preferable approach since it avoids having to re-sync and regenerate new certificates every few years.
However, copying the CA file is an alternative if you would rather use the auto-generated certs short-term.
Please let us know if you need any assistance with either option for standardizing certificates across Connectors. We are happy to provide more detailed guidance to get this implemented in your environment.
Best regards,
Sethu
Community Moderator | Technical Support Engineer
WithSecure™
