Certificate Validation Components - D-Link NetDefend DFL-210 User Manual

9.6. CA Server Access
3. The CA server is a commercial server on the public Internet. In this, the simplest case,
public DNS servers will resolve the FQDN. The only requirement is that NetDefendOS will
need to have at least one public DNS server address configured to resolve the FQDNs in the
certificates it receives.
• It must be also possible for an HTTP PUT request to pass from the validation request source
(either the NetDefend Firewall or a client) to the CA server and an HTTP reply to be received. If
the request is going to pass through the NetDefend Firewall, the appropriate rules in the
NetDefendOS IP rule set need to be defined to allow this traffic through.
Figure 9.4. Certificate Validation Components
CA Server Access by Clients
In a VPN tunnel with roaming clients connecting to the NetDefend Firewall, the VPN client
software may need to access the CA server. Not all VPN client software will need this access. In the
Microsoft clients prior to Vista, CA server requests are not sent at all. With Microsoft Vista
validation became the default with the option to disable it. Other non-Microsoft clients differ in the
way they work but the majority will attempt to validate the certificate.
Placement of Private CA Servers
The easiest solution for placement of a private CA server is to have it on the unprotected side of the
NetDefend Firewall. This however, is not recommended from a security viewpoint. It is better to
place it on the inside (or preferably in the DMZ if available) and to have NetDefendOS control
access to it.
393
Chapter 9. VPN