9.7. CA Server Access
Overview
Certificate validation can be done by accessing a separate Certifícation Server (CA) server. For
example, the two sides of an IPsec tunnel exchange their certificates during the tunnel setup
negotiation and either may then try to validate the received certificate.
A certificate contains a URL (the CRL Distribution Point) which specifies the validating CA server
and server access is performed using an HTTP GET request with an HTTP reply. (This URL is more
correctly called an FQDN - Fully Qualified Domain Name.)
CA Server Types
CA servers are of two types:
•
A commercial CA server operated by one of the commercial certificate issuing companies.
These are accessible over the public Internet and their FQDNs are resolvable through the public
Internet DNS server system.
•
A private CA server operated by the same organization setting up the VPN tunnels. The IP
address of a private server will not be known to the public DNS system unless it is explicitly
registered. It also will not be known to an internal network unless it is registered on an internal
DNS server.
Access Considerations
The following considerations should be taken into account for CA server access to succeed:
•
Either side of a VPN tunnel may issue a validation request to a CA server.
•
For a certificate validation request to be issued, the FQDN of the certificate's CA server must
first be resolved into an IP address. The following scenarios are possible:
1.
The CA server is a private server behind the NetDefend Firewall and the tunnels are set up
over the public Internet but to clients that will not try to validate the certificate sent by
NetDefendOS.
In this case, the IP address of the private server needs only be registered on a private DNS
server so the FQDN can be resolved. This private DNS server will also have to be
configured in NetDefendOS so it can be found when NetDefendOS issues a validation
request. This will also be the procedure if the tunnels are being set up entirely internally
without using the public Internet.
2.
The CA server is a private server with tunnels set up over the public Internet and with
clients that will try to validate the certificate received from NetDefendOS. In this case the
following must be done:
a.
A private DNS server must be configured so that NetDefendOS can locate the private
CA server to validate the certificates coming from clients.
b.
The external IP address of the NetDefend Firewall needs to be registered in the public
DNS system so that the FQDN reference to the private CA server in certificates sent to
clients can be resolved. For example, NetDefendOS may send a certificate to a client
with an FQDN which is ca.company.com and this will need to be resolvable by the
client to a public external IP address of the NetDefend Firewall through the public
DNS system.
9.7. CA Server Access
Chapter 9. VPN
480
Summary of Contents for NetDefend DFL-1660
Page 28: ...1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 28 ...
Page 88: ...2 6 3 Restore to Factory Defaults Chapter 2 Management and Maintenance 88 ...
Page 166: ...3 10 DNS Chapter 3 Fundamentals 166 ...
Page 254: ...4 7 5 Advanced Settings for Transparent Mode Chapter 4 Routing 254 ...
Page 268: ...5 4 IP Pools Chapter 5 DHCP Services 268 ...
Page 368: ...6 7 Blacklisting Hosts and Networks Chapter 6 Security Mechanisms 368 ...
Page 390: ...7 4 7 SAT and FwdFast Rules Chapter 7 Address Translation 390 ...
Page 414: ...8 3 Customizing Authentication HTML Pages Chapter 8 User Authentication 414 ...
Page 490: ...9 8 6 Specific Symptoms Chapter 9 VPN 490 ...
Page 528: ...10 4 6 Setting Up SLB_SAT Rules Chapter 10 Traffic Management 528 ...
Page 544: ...11 7 HA Advanced Settings Chapter 11 High Availability 544 ...
Page 551: ...12 3 5 Limitations Chapter 12 ZoneDefense 551 ...
Page 574: ...Default 512 13 9 Miscellaneous Settings Chapter 13 Advanced Settings 574 ...
Page 575: ...13 9 Miscellaneous Settings Chapter 13 Advanced Settings 575 ...