Due to the incorrect network configuration or usage of an incorrect certificate for the server-client authentication, you might experience a communication failure between the Tunnel Front-End server and the Back-End server.
- Ensure that the Front-End server can communicate with the Back-End Tunnel server on the port mentioned in the tunnel configuration.
- Run the following command in the Tunnel Front-End server :
openssl s_client -connect <dest_fqdn>:<port> -servername <backend_fqdn>Must display the Tunnel Back-End server SSL certificate.
- In the server.conf file, verify the following:
On the Tunnel, front-end server verify if the c_r_t (that is, cascade_root_thumbprint ) has the thumbprint of the Back-End server's SSL certificate.
- The c_r_t in the Tunnel front-end server is same as the cascade_back_end_thumbprint in the Back-end server.
On the Tunnel back-end server c_r_t should have the root CA's thumbprint of the Tunnel front-end server's SSL certificate.
- When the AirWatch certificate is used for Server Auth, the c_r_t in the back-end server is always same as the ssl_thumbprint in the Tunnel front-end server.
- When a third-party SSL certificate is used for Server Auth, the c_r_t in the back-end server is the third party's root CA's thumbprint.
- Verify if there are any firewall or load balancer rules blocking between the Front-End server to Back-End Tunnel Server.
- SSL Offloading and SSL Bridging are not supported for the Per-App Tunnel configuration.
- If you are using Public certificate for the server authentication, the certificate must have a Server and Client authentication under Enhanced Key Usage field .