how would you setup SSL end to end with weblogic through a netscaler

New to weblogic and netscaler need help with the architecture

I want to expose a service on weblogic to the internet so mobile users can access a webservice.currently internal traffic works ok when users directly access the site eg http://xxx.internal.local:7001

i need to have SSL enabled end to end for both internal users and External users and the ability to access the webservice externally and internally

Traffic flow

• External user|||| <--HTTPS-->|||| Netscaler|||| <--HTTPS--> weblogic server
• Internal users connect directly to weblogic
• Internal users would use https://xxx.internal.local:7002
  • (Private DNS and IP address)
• External users would use https://xxx.external.com:443
  • (Public DNS and IP Address)

SAN Cert (has local domain and external domain) installed and imported into the weblogic Java key Stores.

What is the best way to achieve this?

Things we have tried

Netscaler admin configuring SSL Pass through on the Netscaler - eg no decrypt and re encrypt and forwards 443 port to 7002

CNAME setup in the internal DNS to point xxx.external.com to xxx.internal.local

• internal traffic to https://xxx.internal.local:7002 was OK and encrypted
• External traffic failed and Cert errors presented to users

i am unclear how this should be configured with having external domain and internal domain together with having netscaler doing SSL bridging - is there a better way to get this done - eg have the netscaler offload SSL at VIP and re ncrypt back to weblogic and changing the HTTP host headers to match the internal domain name (reverse proxy)

Thanks in advance

Thanks All for the feedback. The tested working solution was as follows .

• One publicly generated SAN cert (that has ext domain and internal domain in SAN entries) installed on the Netscaler and the weblogic server

• External users would use the external domain url 'https://xxx.external.com:443' The external SSL traffic would terminate at the Netscaler decrypted and re-encrypted back to the internal weblogic server on port 7002 . The Netscaler will also change the HTTP host header in the request to the internal hostname also will change the response Http host headers to the external hostname.

• Internal users will just use the internal domain url eg https://xxx.internal.local:7002

• Cert providers dont issue Certs with internal domains anymore as i understand hence this might not work for you . but i think to work around that problem . you can generate an internal CA cert with the internal domain name. install on the weblogic server and netscaler . Purchase a publicly generated Cert with the external domain name and install on the Netscaler. so external traffic will use the the Public cert to encrtypt the traffic - and internal traffic will be encrypted using the internal Cert.