I am implementing an igel cloud gateway and I had a question about the certificate part. I would like to use a public certificate (Digicert), does the certificate have to contain the public IP address that is associated with my cloud gateway server after the NAT? Or does it have to contain the internal IP address of the igel cloud gateway server?
Thanks for your help
You’ll want the public (ip or hostname) that the devices use to connect to icg server, as well as the private (ip or host name) that the UMS uses to communicate with icg. The ICG are accepting connections from both ends, so the cert chain must look valid from both ends.
Just something to keep in mind regarding ICG private vs public certificate.
If you get a public cert, with a 1 year expiry, and down the road you get a new cert with a different CA (ICG root cert swap), you will need to go through a special sequence to rotate out the CA+new-public-cert before your old cert expires.
It’s not too long ago that the only supported option was to manually re-enroll the devices to ICG once again. The new process is documented here: kb.igel.com/igelicg-2.05/en/exchanging-the-root-certificate-for-icg-57324440.html
The “private cert” path is exposed to the same problem, however you may have more granular control both “Root CA cert” and “server cert” expiry. Things that make you hmmm…. :thinking_face:
Host name is best option. If you need to connect UMS to the internal IP address, you can always use a hosts file on the UMS server(s) to reroute the external host name to the internal IP. Just be sure it’s documented in case you ever replace your UMS servers for OS upgrades.
Dear, thanks for your answer. It work perfectly now.
Ask a question or comment on the above message thread?Join or log in to the IGEL Community to ask us anything and meet other IGEL customers, partners, and EUC enthusiasts.
Submit a question, or Join Today!