Certificate Validation Components - D-Link NetDefend DFL-210 User Manual
Network security firewall
Hide thumbs
Also See for NetDefend DFL-210:
- User manual (495 pages) ,
- Log reference manual (476 pages) ,
- Cli reference manual (213 pages)
Table of Contents
Advertisement
9.6. CA Server Access
3.
The CA server is a commercial server on the public Internet. In this, the simplest case,
public DNS servers will resolve the FQDN. The only requirement is that NetDefendOS will
need to have at least one public DNS server address configured to resolve the FQDNs in the
certificates it receives.
•
It must be also possible for an HTTP PUT request to pass from the validation request source
(either the D-Link Firewall or a client) to the CA server and an HTTP reply to be received. If the
request is going to pass through the D-Link Firewall, the appropriate rules in the NetDefendOS
IP rule set need to be defined to allow this traffic through.
Figure 9.4. Certificate Validation Components
CA Server Access by Clients
In a VPN tunnel with roaming clients connecting to the D-Link Firewall, the VPN client software
may need to access the CA server. Not all VPN client software will need this access. In the
Microsoft clients prior to Vista, CA server requests are not sent at all. With Microsoft Vista
validation became the default with the option to disable it. Other non-Microsoft clients differ in the
way they work but the majority will attempt to validate the certificate.
Placement of Private CA Servers
The easiest solution for placement of a private CA server is to have it on the unprotected side of the
D-Link Firewall. This however, is not recommended from a security viewpoint. It is better to place
it on the inside (or preferably in the DMZ if available) and to have NetDefendOS control access to
it.
372
Chapter 9. VPN
- Quick Links:
- The Cli
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
