Slightly different than normal request I hope.
One of the Developers at my facility is considering implementing HA with a load balancer on an application that we develop inhouse.
He asked me what industry best practices were in effect in this area now. This application has PII impacts in a HIPAA environment. Everything right now is secured over a TLS session, and hostname checks are part of this.
To me, this indicates that we need to terminate the TLS session not on the load balancer, but on the load balanced servers. (I see many debates over the last 4 years on this, with terminating on the Server being the direction people have moved in the last 2 years).
I assume most load balancers work the same, with just different names for the same type of feature.
What I'm wondering what the most accepted way of doing this. SAN cert with both the HA name, as well as the loaded balanced name? (E.G, DB1 has Subjectname of DB1, with a SAN of DB. DB2 has a Subjectname of DB2, with a SAN of DB, etc.)
*Edit 1: The application isn't web based, so all the comments about headers aren't applicable
No comments:
Post a Comment