Ca Server Access - D-Link DFL-1660 User Manual

Network security firewall
Hide thumbs Also See for DFL-1660:
Table of Contents

Advertisement

9.6. CA Server Access

9.6. CA Server Access
Overview
Where certificates are used, the two sides of a VPN tunnel exchange their certificates during the
tunnel setup negotiation and either may then try to validate the received certificate by accessing a
CA server. A certificate contains a URL (the CRL Distribution Point) which specifies the validating
CA server and server access is performed using an HTTP GET request with an HTTP reply. (This
URL is more correctly called an FQDN - Fully Qualified Domain Name.)
CA Server Types
CA servers are of two types:
A commercial CA server operated by one of the commercial certificate issuing companies.
These are accessible over the public Internet and their FQDNs are resolvable through the public
Internet DNS server system.
A private CA server operated by the same organization setting up the VPN tunnels. The IP
address of a private server will not be known to the public DNS system unless it is explicitly
registered. It also will not be known to an internal network unless it is registered on an internal
DNS server.
Access Considerations
The following considerations should be taken into account for CA server access to succeed:
Either side of a VPN tunnel may issue a validation request to a CA server.
For a certificate validation request to be issued, the FQDN of the certificate's CA server must
first be resolved into an IP address. The following scenarios are possible:
1.
The CA server is a private server behind the NetDefend Firewall and the tunnels are set up
over the public Internet but to clients that will not try to validate the certificate sent by
NetDefendOS.
In this case, the IP address of the private server needs only be registered on a private DNS
server so the FQDN can be resolved. This private DNS server will also have to be
configured in NetDefendOS so it can be found when NetDefendOS issues a validation
request. This will also be the procedure if the tunnels are being set up entirely internally
without using the public Internet.
2.
The CA server is a private server with tunnels set up over the public Internet and with
clients that will try to validate the certificate received from NetDefendOS. In this case the
following must be done:
a.
b.
The same steps should be followed if the other side of the tunnel is another firewall instead
of being many clients.
A private DNS server must be configured so that NetDefendOS can locate the private
CA server to validate the certificates coming from clients.
The external IP address of the NetDefend Firewall needs to be registered in the public
DNS system so that the FQDN reference to the private CA server in certificates sent to
clients can be resolved. For example, NetDefendOS may send a certificate to a client
with an FQDN which is ca.company.com and this will need to be resolvable by the
client to a public external IP address of the NetDefend Firewall through the public
DNS system.
383
Chapter 9. VPN

Advertisement

Table of Contents
loading

Table of Contents