Solved

How to implement VPN Certificate base authentication

Posted on 2014-04-13
3
3,016 Views
Last Modified: 2014-04-17
We have a Fortigate VPN gateway and would like to implement "Certificate Based Authentication" for the VPN client. Our VPN gateway is located in the Internet DMZ. As I am new to VPN, should we use external or third party CA (e.g. VeriSign or Godaddy) or can I use an internal CA infrastructure ?

 If internal CA is use, should I put my CA server on the same subnet (i.e. Internet DMZ) or can I put my CA server on the Internal network ? But I am concerning how the external VPN client is able to contact the CA server if it is an internal server.

Any hints or suggestion would be highly appreciated.

Thanks & Regards
Patrick
0
Comment
Question by:patricktam
3 Comments
 
LVL 6

Expert Comment

by:Hassan Besher
Comment Utility
you can use SSL VPN to authenticate using Certificate , and  you can select which certificate the FortiGate offers to authenticate itself. By default, the FortiGate unit offers its factory installed (self-signed) certificate from Fortinet to remote clients when they connect.

http://docs-legacy.fortinet.com/fos50hlp/50/index.html#page/FortiOS%205.0%20Help/SSLVPN_FortiGate_41.161.09.html
0
 

Expert Comment

by:jmathon
Comment Utility
You can also create your own Certificate on the Fortigate Unit (System -> Certificates)
But if you already have a PKI Infrastructure, you don't care where it will be based.
Just create your Certificate, and import it into the fortigate.
0
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
Comment Utility
It can be self signed, from your existing CA or 3rd party CA. But to avoid prompt (invalid certificate message) in user browser, you’ll need to get a certificate signed by a CA for most browsers to accept your VPN page.

some considerations include
a) if using self signed, you likely get the prompt so import that in and I do encourage better to use existing CA if available for cahin of trust.

b) if you already have a wildcard certificate in use on others server, you can get it imported into the Fortigate.

c) if the clients computers are members of your domain where the controller has the Certificate Authority role installed, you can sign the certificate on your domain controller and re-import into the Fortigate.

d) if you will want user to be authenticated with the correct certificate installed in their browser before they can access the SSL VPN, you also need to create user certificates that will be imported into browsers. in this case, these certificates can be signed your domain controller with the Certificate Authority role installed. The corresponding CA certificate will be imported into the Fortigate so it can verify client certificates.

e.g. Generate a certificate request and import a signed certificate back into the Fortigate.

e.g . Importing a wildcard certificate into the Fortigate
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
Healthcare providers, insurance companies and other covered entities trust eFax Corporate to transmit their most sensitive documents. eFax Corporate can help your organization implement a HIPAA compliant cloud faxing solution.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now