Table of Contents
Advertisement
74 Chapter 3 Using certificates
Entrust certificate enrollment tunnel
To facilitate Entrust certificate enrollment from an IPsec client that does not have
direct connectivity to the Entrust PKI, it is necessary to create a special group.
This group is used only to access the Entrust PKI to generate a new certificate.
This group should have a filter applied to it that restricts access through the tunnel
to the PKI only. You could name this group, for example, Certificate Enrollment.
Add a user with a "common" user ID and password; for example:
User ID: enrollee
Password: certificate
The Contivity gateway must be set up with the correct filters to allow only PKI
access through the tunnel filter set and the firewall to the PKI server. The TCP
firewall filter ports are 389 and 709. Nortel has preconfigured a filter rule called
Entrust PKI that allows access to the Entrust PKI server. You can choose this
filter for any group from the Profiles > Groups > Edit > Connectivity: Configure
screen. Set this filter along with a "deny all" filter on the "semi-public" account
that is set up. The Entrust PKI filter is made up of the following rules and should
be customized by the administrator if the default Entrust port values are not used:
•
•
•
•
Direct access enrollment process
The following steps describe what remote users must do to obtain an
authentication certificate when the PKI server is directly accessible from the
Internet.
1
2
3
4
311644-J Rev 00
TCP, src port > 1023, dest port 389, in
TCP, src port 389, dest port > 1023, out
TCP, src port > 1023, dest port 709, in
TCP, src port 709, dest port > 1023, out
Choose a directory in which to store the .epf file.
Name the .epf file.
Select a password.
Enter the Entrust Reference Number and Authorization Code (provided to the
remote user by the network administrator).
Advertisement
Table of Contents
