Change the IP address on Clients

Our company network consists of a few hundred laptops all of which have Checkpoint VPN configured with the site IP.

We are moving out datacentre and will need to update the IP on all of our laptops. I want to deploy a script remotely which will transparently update the site IP address. The script works however it causes a certificate problem and the users would be unable to connect.

If the laptop connects to VPN while still on the LAN after the change the certificate problem is not an issue. However we cannot expect all users to be able to do that.

Is there anyway to update the certificate at the same time as running the script. It would be even nicer if there was a checkpoint tool.

I appreciate all your help.
LVL 8
LotokAsked:
Who is Participating?
 
ParanormasticCryptographic EngineerCommented:
In order to update the cert, you would have to issue a new one.  This is presuming that it was issued to the IP address and that the clients connect to that IP address instead of an FQDN.  If you have a DNS name, you might consider issuing to that instead and having the IP address as a SAN (Subject Alternate Name) - many commercial CA's will allow you to do this, if you don't see it just look at their FAQ or contact their support for specifics.  Essentially, whatever address is entered is what needs to match the cert.

As this is a purposeful change, I would not expect that they would reissue under your previous order - you would have to purchase a new cert.  However, it never hurts to ask - since the cert is for the same box there may be some vendors that might accept that as a free reissuance.

If this is your own CA, I will presume a Microsoft CA - when you pass the CSR through the Certsrv page, there is an Attributes box that you can use to enter SAN:IP=192.168.0.1 (or SAN:DNS=vpn.yourdomain.com)

Certs are used by software, the software creates the CSR but does not have a way to 'update' it, so to speak, without the help of the CA.  There may be an update or replace function in most softwares, but that is just handling the new cert vs the old, not actually doing it to itself.

If this is a self signed cert, then just go through the process to create a new self signed cert and push that to clients as you would have done before, presumably GPO.

If you need anything more specific, let me know.
0
 
LotokAuthor Commented:
Concluded from your info and our network guys, it cant be done as I intended. Sorry for late close, been away.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.