We have a Fortigate VPN gateway and would like to implement "Certificate Based Authentication" for the VPN client. Our VPN gateway is located in the Internet DMZ. As I am new to VPN, should we use external or third party CA (e.g. VeriSign or Godaddy) or can I use an internal CA infrastructure ?
If internal CA is use, should I put my CA server on the same subnet (i.e. Internet DMZ) or can I put my CA server on the Internal network ? But I am concerning how the external VPN client is able to contact the CA server if it is an internal server.
Any hints or suggestion would be highly appreciated.
Thanks & Regards