To stay updated on your favorite discussions, please create an account or log in. Then, click the Bookmark icon to subscribe and receive notifications.

Is it possible to setup multiple remote WithSecure connectors with the same self-signed certificate?

Options
Ernest_za
Ernest_za W/ Partner Posts: 12 Junior Protector

Can we configure multiple remote WithSecure connectors to use the same self-signed certificate from one of the connectors? We have several remote sites, each equipped with its own WithSecure connector. However, we've encountered issues with software updates when clients move between sites with different connectors. Our goal is to set up all connectors with a uniform certificate so that endpoints can access software updates from the nearest connector. Is this feasible?

Answers

  • Sethu Laks
    Sethu Laks W/ Partner, W/ Staff, W/ Moderator Posts: 245 Moderator
    edited September 2023
    Options

    Hi @Ernest_za

    Thank you for reaching out to the WithSecure Community.

    We appreciate your inquiry, and we are here to clarify that when configuring Elements clients version 23.4 or higher, you have the ability to specify multiple Elements Connectors separated by a semicolon.

    For instance:

    http://myconnector.local;http://myproxy2.com:8080
    

    By providing multiple Connectors, the Elements client will randomly select one from the list to establish a connection. In case the selected Connector becomes unavailable, it will automatically switch to another available Connector in order to maintain uninterrupted service.

    To define multiple Connectors correctly, please ensure their configuration is set in both the General Settings and Software Updater sections of the Elements profile.

    You can refer this user guide for more information.

    With this setup, when attempting a connection, the client will first try connecting with the first specified Connector in the list. If unsuccessful, it will proceed sequentially through each subsequent Connector until it successfully establishes a connection.

    I hope this explanation clarifies how you can leverage multiple Elements Connectors effectively for redundancy and automatic failover within your Elements Connector deployment. Please let me know if there are any further questions or if I can assist you with optimizing this configuration.

    Best regards,
    Sethu
    Community Moderator | Technical Support Engineer
    WithSecure™ https://www.withsecure.com/en/home

  • Ernest_za
    Ernest_za W/ Partner Posts: 12 Junior Protector
    Options

    Hi @Sethu Laks,

    Thanks for the reply.

    The issue I have in configuring as described by the user guide by specifying multiple Elements Connectors separated by a semicolon, is that it will only work for definition updates and not software updates. As software updates require you to install a connector generated certificate that is unique to each connector. We also found that if the client was able to access the first connector over a WAN link, it will start updating from that connector and not its closest connector. We once tried using network location to identify the closest connector, but it also appeared not to work 100% as expected.

    We have tried a couple of configurations and are happy to configure multiple profiles, but it would be great if we could deploy a single certificate instead of a unique certificate per site.

  • Sethu Laks
    Sethu Laks W/ Partner, W/ Staff, W/ Moderator Posts: 245 Moderator
    edited September 2023
    Options

    Hi @Ernest_za

    Based on your situation, we would recommend two options for setting up consistent CA certificates across your Connectors:

    1. Copy the CA certificate (fspms-ca.jks file) to all Connectors and import it on managed hosts per these instructions in this page. This allows each Connector to generate a unique cert signed by the same CA. The CA would need to be renewed every 4 years.
    2. Obtain a commercial wildcarded certificate and import it to each Connector using these steps. A wildcard cert avoids renewal hassles by covering multiple hostnames.

    The commercial wildcard certificate is the preferable approach since it avoids having to re-sync and regenerate new certificates every few years.

    However, copying the CA file is an alternative if you would rather use the auto-generated certs short-term.

    Please let us know if you need any assistance with either option for standardizing certificates across Connectors. We are happy to provide more detailed guidance to get this implemented in your environment.

    Best regards,
    Sethu
    Community Moderator | Technical Support Engineer
    WithSecure™ https://www.withsecure.com/en/home

  • Ernest_za
    Ernest_za W/ Partner Posts: 12 Junior Protector
    Options

    Hi @Sethu Laks

    Thanks for the feedback. I will definitely give it a go and reply.

This discussion has been closed.