• No results found

How to Use Certificates for Additional Security

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "How to Use Certificates for Additional Security"

Copied!
39
0
0

Loading.... (view fulltext now)

Download now ( 39 Page )

Full text

(1)

Global VPN Client How to Use Certificates for Additional Security

The usage of certificates is not a subject one should not think of lightly. There are multiple ways to implement certificates for additional security and on different places.

This technote handles the part where certificates are used with a Microsoft AD in combination with the Global VPN client version 3 from sonicwall.

- DHCP over VPN , the sonicwall as a DHCP server

- Xauth using LDAP (which in this case is already configured for usage) - Administrator privileges on AD controller

In some cases it is required to lower among others the IE security settings. It might also be there are Microsoft and or administrator specific issues, not part of the scope of support.

The following subjects will be discussed: 1. Installing Certificate Services 2. Retrieve Root Certificate

3. Import the Root Certificate into a Sonicwall TZ170e 4. Add a Signing Request

5. Sign the request to a valid certificate 6. Import Signed Certificate

7. Request and Install a user Certificate on remote computer 8. Export user certificate for usage in Global Client

9. Sonicwall Group VPN policy configuration 10. Import user certificate into the Global Client

(2)

1. Installing Certificate Services

First step will be to install the certificates services on your Domain controller. In this example the AD is also installed on this domain controller. For this service to work, IIS is mandatory

1. To add the service, go to the control panel and open the add and remove programs part. 2. Go to add/Remove windows components - components.

3. Tick the checkbox on certificate services (in details you can see both services are activated).

4. During the installation it will disable the IIS service when active, please make sure after installation the IIS service are activated again.

(3)

2. Add Root Certificate

On your domain controller open a web browser and go to http://127.0.0.1/certsrv . select Retrieve the CA certificate or certificate revocation list.

In the screenshots that were used for this technote, port 90 is used for the default website so you may notice this port, located in different URL’s . In a basic situation the additional port in the url is not needed as port 80 for http is default.

(4)

Next step will be to download the root CA. Press Download CA Certificate and leave it on DER encoded.

When downloading the Root CA certificate, please choose the location where you want to save the certificate.

(5)

3. Import the Root Certificate into a Sonicwall TZ170e

For importing this certificate into a sonicwall.. we used a TZ170 enhanced with firmware 3.1.0.11 e. The certificate is saved on the local hard drive, so it can be imported like this:

(6)

Make sure you have selected the second choice:

Import a CA certificate from a PKCS#7 (.p7b),PEM (.pem) or DER (.der or .cer) encoded file. Once selected browse to the location where you have saved the Root CA.

(7)
(8)
(9)

4. Add a Signing Request

Now that the Root CA has been imported, a local certificate for the sonicwall is needed. So please go to system – certificates and press the New Signing Request button:

(10)

In the following screen the request needs to be filled out with the appropriate settings.

(11)
(12)

When exporting, you can choose a location where you want this to be saved. The certificate property changes in this procedure to a p10 format.

(13)

Once saved the type for the certificate signing request changes to Pending request and the certificate is ready to be validated by the CA.

(14)

5. Sign the request to a valid certificate

The “pending request” will be signed like this:

(15)
(16)
(17)

In the screen that follows, you have 2 options to submit the request, you can either browse to the location where you saved the “pending request (p 10)“ or you can edit that file and copy - paste the contents.

(18)
(19)
(20)

Now you can download the signed CA certificate to a location on your hard drive. Once completed you can import the signed request into the sonicwall. This will be handled in the next section.

(21)

6. Import Signed Certificate

At this point the certificate is signed and ready to be uploaded. The following section shows how to do this. Log into the sonicwall and go to system - certificates.

(22)

On the “pending request” press the upload button indicated by the red circle. You will then get the additional browse screen. Click the browse button and go to the location where you have saved the signed request, as illustrated below.

(23)

After upload you will see that the Certificate has been validated.

(24)

7. Request and Install a user Certificate on remote computer

In the previous chapters we have created a Root CA and a Certificate for the sonicwall itself. Now it is time to make the user certificate. This certificate needs to be imported afterwards in the Global Client as well as the Root CA.

There are several ways to provide the user certificate to the remote user’s computer. The fastest and easiest way will be described in the following section. For other methods and additional information , please visit the Microsoft web page

www.microsoft.com.

(25)
(26)
(27)

Check the administrator here. In this example we use the administrator. Also check the key for 1024 bits. We used 1024 previously in this technote.

The next important thing is to mark the keys as exportable. This way, when the certificate is imported, the fields for the private key will not be grayed out.

(28)
(29)
(30)

8. Export user certificate for usage in Global Client

The user certificate has been installed in the web browser of the domain controller in this example. The following steps show how the certificate can be exported from the browser to a file. This will be in pfx format and can later on be imported in the Global VPN client.

Please go to your internet explorer’s internet options. Go to content and certificates. You will see the certificate in the personal tab. Click on it and export to a file using the wizard:

(31)
(32)
(33)
(34)
(35)

You are almost done with the configuration of certificate usage for the global client. The next step will be the configuration of the Group VPN policy in the sonicwall

(36)

9. Sonicwall Group VPN policy configuration

In this section you configure the Group VPN policy to use the certificate

First go to system – certificates and press the diskette icon on the local certificate. You will get the following screen. In this example we use the distinguished name. Copy the distinguished name including the slash / at the start of the string. The string you will use will be complete of course. In this technote some entries were deleted.

(37)

After copying the distinguished name string, go to VPN - group VPN and configure the policy. Change the IPsec keying mode from IKE using preshared secret into IKE using 3rd Part Certificates. Change the Peer ID type into the distinguished name.

(38)
(39)

10. Import user certificate into the Global Client

When the remote PC has the *.pfx file and the root CA .cer file, open up the global client and go to view – certificate manager and import both files accordingly. The root ca should go to Trusted root CA and the *.pfx file goes to user

certificate. Once imported, open a connection with the global client. When prompted import the user certificate and use the password for this certificate.

Created by

Mohammed Ouadar Jasper Krenning

References

Download now ( PDF - 39 Page - 3.41 MB )

Related documents

Getting your board (and execs) on board with event apps

BONUS REASON: Delegates are expecting it: 85% of event planners have indicated that they use event apps or will in the short term ( MPI Research 2014 ) - not having an app makes

TACC ROOT CA CERTIFICATE POLICY

When the TACC Root CA Manager is satisfied that Subject CA will operate within the constraints imposed by the Root, The TACC Root CA will issue and publish the certificate of

Asymmetric cryptosystems fundamental problem: authentication of public keys

•  Examples of a root CA certificate, with issued certificates. •  Examples

DEPARTMENT OF DEFENSE PUBLIC KEY INFRASTRUCTURE EXTERNAL CERTIFICATION AUTHORITY MASTER TEST PLAN VERSION 1.0

Root CA certificate Subordinate CA certificates Identity certificate Encryption certificate Component certificate Code signing certificate OCSP responder

TechNote. Contents. Overview. Using a Windows Enterprise Root CA with DPI-SSL. Network Security

It is necessary to import the Public Root CA certificate into the Certificate Store of SonicOS appliance before the firewall can trust any certificates signed by a Windows

An Exploratory analysis of individual variation in schwa epenthesis in Flemish Dutch and Scottish English

Rather, a more precise observation would be that schwa epenthesis appears to be a suitable forensic variable as long as the language of the speech samples is Flemish

Domino and Internet. Security. IBM Collaboration Solutions. Ask the Experts 12/16/2014

Input PEM file is used to import private key, server certificate and root certificates. Order

StreamServe Encryption and Authentication

• The Trust Server CA root certificate is added to the certificate files folder in the same resource set as the security configuration.. • The certificates for all involved