CA Server Access by Clients
In a VPN tunnel with roaming clients connecting to the NetDefend Firewall, the VPN client
software may need to access the CA server. Not all VPN client software will need this access. In
the Microsoft clients prior to Vista, CA server requests are not sent at all. With Microsoft Vista
validation became the default with the option to disable it. Other non-Microsoft clients differ in
the way they work but the majority will attempt to validate the certificate.
Placement of Private CA Servers
The easiest solution for placement of a private CA server is to have it on the unprotected side of
the NetDefend Firewall. However, this is not recommended from a security viewpoint. It is better
to place it on the inside (or preferably in the DMZ if available) and to have NetDefendOS control
access to it.
As explained previously, the address of the private CA server must be resolvable through public
DNS servers for certificate validation requests coming from the public Internet. If the certificate
queries are coming only from the NetDefend Firewall and the CA server is on the internal side of
the firewall then the IP address of the internal DNS server must be configured in NetDefendOS so
that these requests can be resolved.
Turning Off validation
As explained in the troubleshooting section below, identifying problems with CA server access
can be done by turning off the requirement to validate certificates. Attempts to access CA servers
by NetDefendOS can be disabled with the Disable CRLs option for certificate objects. This
means that checking against the CA server's revocation list will be turned off and access to the
server will not be attempted.
3.9.5. Creating Windows CA Server Requests
To request certificates from a CA server or CA company, the best method is to send a CA
Certificate Request which is a file that contains a request for a certificate in a well-known,
predefined format.
The NetDefendOS Web Interface (WebUI) does not include the ability to generate certificate
requests that can be sent to a CA server for generation of the .cer and .key files required by
NetDefendOS.
It is possible, however, to manually create the required files for a Windows CA server using the
following stages.
• Create a gateway certificate on the Windows CA server and export it as a file in the .pfx format.
• Convert the .pfx file into the .pem format.
• Take out the relevant parts of the .pem file to form the required .cer and .key files.
The detailed steps for the above stages are as follows:
1. Create the gateway certificate on the Windows CA server and export it to a .pfx file on the
local NetDefendOS management workstation disk.
2. Now convert the local .pfx file to a .pem file. This can be done with the OpenSSL utility using
the console command line:
Chapter 3: Fundamentals
279
To Next Page
Loading...
