Solved

Change the IP address on Clients

Posted on 2008-10-01
2
472 Views
Last Modified: 2013-11-16
Our company network consists of a few hundred laptops all of which have Checkpoint VPN configured with the site IP.

We are moving out datacentre and will need to update the IP on all of our laptops. I want to deploy a script remotely which will transparently update the site IP address. The script works however it causes a certificate problem and the users would be unable to connect.

If the laptop connects to VPN while still on the LAN after the change the certificate problem is not an issue. However we cannot expect all users to be able to do that.

Is there anyway to update the certificate at the same time as running the script. It would be even nicer if there was a checkpoint tool.

I appreciate all your help.
0
Comment
Question by:Lotok
2 Comments
 
LVL 31

Accepted Solution

by:
Paranormastic earned 500 total points
ID: 22614710
In order to update the cert, you would have to issue a new one.  This is presuming that it was issued to the IP address and that the clients connect to that IP address instead of an FQDN.  If you have a DNS name, you might consider issuing to that instead and having the IP address as a SAN (Subject Alternate Name) - many commercial CA's will allow you to do this, if you don't see it just look at their FAQ or contact their support for specifics.  Essentially, whatever address is entered is what needs to match the cert.

As this is a purposeful change, I would not expect that they would reissue under your previous order - you would have to purchase a new cert.  However, it never hurts to ask - since the cert is for the same box there may be some vendors that might accept that as a free reissuance.

If this is your own CA, I will presume a Microsoft CA - when you pass the CSR through the Certsrv page, there is an Attributes box that you can use to enter SAN:IP=192.168.0.1 (or SAN:DNS=vpn.yourdomain.com)

Certs are used by software, the software creates the CSR but does not have a way to 'update' it, so to speak, without the help of the CA.  There may be an update or replace function in most softwares, but that is just handling the new cert vs the old, not actually doing it to itself.

If this is a self signed cert, then just go through the process to create a new self signed cert and push that to clients as you would have done before, presumably GPO.

If you need anything more specific, let me know.
0
 
LVL 8

Author Closing Comment

by:Lotok
ID: 31501972
Concluded from your info and our network guys, it cant be done as I intended. Sorry for late close, been away.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now