I've finally gotten around to implementing our Edge presence and I think that I may be going about it wrong. Technically, anything is possible given the amount of time but I don't want to over complicate things. If anyone has a similar situation they have completed or can relate to, please chime in.
Bacground: 2 EE Pools for HA/DR, one domain, users are split based on ID.
Edge Design: 2 Edge servers (one in each datacenter) and 2 WAP (reverse proxies)
The idea was to have the 2 Edge servers as a single point of entry, DNS round robin, outside would flow through either one, and be directed internally from either pool.
Example:
Access.domain.com would resolve via DMZ DNS to both Edge Access (Access1.domain.com and Access2.domain.com) interfaces. External certificate calls just the basic names and not the FQDNs of the external interfaces (Access.domain.com).
I am attempting to cut costs and centralize the public cert. I was able to assign the public cert to the external interface but it did warn me that the FQDN didn't match the SN of the cert. The idea is to have external users use one URL and never have to worry about changing it if they can't connect.
Am I going down a terrible path or is this a feasible solution?
TL;DR - Can I make a "generic public certificate," assign it, and work on the Edge External interface? Can I have DMZ DNS reference and round robin incoming connections to Access to have them go to either Access1 or 2? Is the idea of on URL to rule them all a bad one?