Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

How to implement VPN Certificate base authentication

Posted on 2014-04-13
3
Medium Priority
?
3,497 Views
Last Modified: 2014-04-17
We have a Fortigate VPN gateway and would like to implement "Certificate Based Authentication" for the VPN client. Our VPN gateway is located in the Internet DMZ. As I am new to VPN, should we use external or third party CA (e.g. VeriSign or Godaddy) or can I use an internal CA infrastructure ?

 If internal CA is use, should I put my CA server on the same subnet (i.e. Internet DMZ) or can I put my CA server on the Internal network ? But I am concerning how the external VPN client is able to contact the CA server if it is an internal server.

Any hints or suggestion would be highly appreciated.

Thanks & Regards
Patrick
0
Comment
Question by:patricktam
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 6

Expert Comment

by:Hassan Besher
ID: 39997879
you can use SSL VPN to authenticate using Certificate , and  you can select which certificate the FortiGate offers to authenticate itself. By default, the FortiGate unit offers its factory installed (self-signed) certificate from Fortinet to remote clients when they connect.

http://docs-legacy.fortinet.com/fos50hlp/50/index.html#page/FortiOS%205.0%20Help/SSLVPN_FortiGate_41.161.09.html
0
 

Expert Comment

by:jmathon
ID: 39998438
You can also create your own Certificate on the Fortigate Unit (System -> Certificates)
But if you already have a PKI Infrastructure, you don't care where it will be based.
Just create your Certificate, and import it into the fortigate.
0
 
LVL 64

Accepted Solution

by:
btan earned 1500 total points
ID: 39998904
It can be self signed, from your existing CA or 3rd party CA. But to avoid prompt (invalid certificate message) in user browser, you’ll need to get a certificate signed by a CA for most browsers to accept your VPN page.

some considerations include
a) if using self signed, you likely get the prompt so import that in and I do encourage better to use existing CA if available for cahin of trust.

b) if you already have a wildcard certificate in use on others server, you can get it imported into the Fortigate.

c) if the clients computers are members of your domain where the controller has the Certificate Authority role installed, you can sign the certificate on your domain controller and re-import into the Fortigate.

d) if you will want user to be authenticated with the correct certificate installed in their browser before they can access the SSL VPN, you also need to create user certificates that will be imported into browsers. in this case, these certificates can be signed your domain controller with the Certificate Authority role installed. The corresponding CA certificate will be imported into the Fortigate so it can verify client certificates.

e.g. Generate a certificate request and import a signed certificate back into the Fortigate.

e.g . Importing a wildcard certificate into the Fortigate
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Healthcare providers, insurance companies and other covered entities trust eFax Corporate to transmit their most sensitive documents. eFax Corporate can help your organization implement a HIPAA compliant cloud faxing solution.
Encryption for Business Encryption (https://en.wikipedia.org/wiki/Encryption) ensures the safety of our data when sending emails. In most cases, to read an encrypted email you must enter a secret key that will enable you to decrypt the email. T…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question