D-Link DFL-1660 User Manual page 482

9.7. CA Server Access
Chapter 9. VPN
Placement of Private CA Servers
The easiest solution for placement of a private CA server is to have it on the unprotected side of the
NetDefend Firewall. This however, is not recommended from a security viewpoint. It is better to
place it on the inside (or preferably in the DMZ if available) and to have NetDefendOS control
access to it.
As explained previously, the address of the private CA server must be resolvable through public
DNS servers for certificate validation requests coming from the public Internet. If the certificate
queries are coming only from the NetDefend Firewall and the CA server is on the internal side of
the firewall then the IP address of the internal DNS server must be configured in NetDefendOS so
that these requests can be resolved.
Turning Off validation
As explained in the troubleshooting section below, identifying problems with CA server access can
be done by turning off the requirement to validate certificates. Attempts to access CA servers by
NetDefendOS can be disabled with the Disable CRLs option for certificate objects. This means that
checking against the CA server's revocation list will be turned off and access to the server will not
be attempted.
482