Solved

How to implement VPN Certificate base authentication

Posted on 2014-04-13
3
3,082 Views
Last Modified: 2014-04-17
We have a Fortigate VPN gateway and would like to implement "Certificate Based Authentication" for the VPN client. Our VPN gateway is located in the Internet DMZ. As I am new to VPN, should we use external or third party CA (e.g. VeriSign or Godaddy) or can I use an internal CA infrastructure ?

 If internal CA is use, should I put my CA server on the same subnet (i.e. Internet DMZ) or can I put my CA server on the Internal network ? But I am concerning how the external VPN client is able to contact the CA server if it is an internal server.

Any hints or suggestion would be highly appreciated.

Thanks & Regards
Patrick
0
Comment
Question by:patricktam
3 Comments
 
LVL 6

Expert Comment

by:Hassan Besher
ID: 39997879
you can use SSL VPN to authenticate using Certificate , and  you can select which certificate the FortiGate offers to authenticate itself. By default, the FortiGate unit offers its factory installed (self-signed) certificate from Fortinet to remote clients when they connect.

http://docs-legacy.fortinet.com/fos50hlp/50/index.html#page/FortiOS%205.0%20Help/SSLVPN_FortiGate_41.161.09.html
0
 

Expert Comment

by:jmathon
ID: 39998438
You can also create your own Certificate on the Fortigate Unit (System -> Certificates)
But if you already have a PKI Infrastructure, you don't care where it will be based.
Just create your Certificate, and import it into the fortigate.
0
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 39998904
It can be self signed, from your existing CA or 3rd party CA. But to avoid prompt (invalid certificate message) in user browser, you’ll need to get a certificate signed by a CA for most browsers to accept your VPN page.

some considerations include
a) if using self signed, you likely get the prompt so import that in and I do encourage better to use existing CA if available for cahin of trust.

b) if you already have a wildcard certificate in use on others server, you can get it imported into the Fortigate.

c) if the clients computers are members of your domain where the controller has the Certificate Authority role installed, you can sign the certificate on your domain controller and re-import into the Fortigate.

d) if you will want user to be authenticated with the correct certificate installed in their browser before they can access the SSL VPN, you also need to create user certificates that will be imported into browsers. in this case, these certificates can be signed your domain controller with the Certificate Authority role installed. The corresponding CA certificate will be imported into the Fortigate so it can verify client certificates.

e.g. Generate a certificate request and import a signed certificate back into the Fortigate.

e.g . Importing a wildcard certificate into the Fortigate
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In this era, as you know, cybercrime and other sorts of frauds using the internet has increased day by day. We should protect our information assets and confidential information from getting exploiting by the attacker or intruders. Most of the fraud…
Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
A simple description of email encryption using a secure portal service. This is one of the choices offered by The Email Laundry for email encryption. The other choices are pdf encryption which creates an encrypted pdf of your email and any attachmen…

912 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

26 Experts available now in Live!

Get 1:1 Help Now