Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

How to implement VPN Certificate base authentication

Posted on 2014-04-13
3
Medium Priority
?
3,608 Views
Last Modified: 2014-04-17
We have a Fortigate VPN gateway and would like to implement "Certificate Based Authentication" for the VPN client. Our VPN gateway is located in the Internet DMZ. As I am new to VPN, should we use external or third party CA (e.g. VeriSign or Godaddy) or can I use an internal CA infrastructure ?

 If internal CA is use, should I put my CA server on the same subnet (i.e. Internet DMZ) or can I put my CA server on the Internal network ? But I am concerning how the external VPN client is able to contact the CA server if it is an internal server.

Any hints or suggestion would be highly appreciated.

Thanks & Regards
Patrick
0
Comment
Question by:patricktam
3 Comments
 
LVL 6

Expert Comment

by:Hassan Besher
ID: 39997879
you can use SSL VPN to authenticate using Certificate , and  you can select which certificate the FortiGate offers to authenticate itself. By default, the FortiGate unit offers its factory installed (self-signed) certificate from Fortinet to remote clients when they connect.

http://docs-legacy.fortinet.com/fos50hlp/50/index.html#page/FortiOS%205.0%20Help/SSLVPN_FortiGate_41.161.09.html
0
 

Expert Comment

by:jmathon
ID: 39998438
You can also create your own Certificate on the Fortigate Unit (System -> Certificates)
But if you already have a PKI Infrastructure, you don't care where it will be based.
Just create your Certificate, and import it into the fortigate.
0
 
LVL 65

Accepted Solution

by:
btan earned 1500 total points
ID: 39998904
It can be self signed, from your existing CA or 3rd party CA. But to avoid prompt (invalid certificate message) in user browser, you’ll need to get a certificate signed by a CA for most browsers to accept your VPN page.

some considerations include
a) if using self signed, you likely get the prompt so import that in and I do encourage better to use existing CA if available for cahin of trust.

b) if you already have a wildcard certificate in use on others server, you can get it imported into the Fortigate.

c) if the clients computers are members of your domain where the controller has the Certificate Authority role installed, you can sign the certificate on your domain controller and re-import into the Fortigate.

d) if you will want user to be authenticated with the correct certificate installed in their browser before they can access the SSL VPN, you also need to create user certificates that will be imported into browsers. in this case, these certificates can be signed your domain controller with the Certificate Authority role installed. The corresponding CA certificate will be imported into the Fortigate so it can verify client certificates.

e.g. Generate a certificate request and import a signed certificate back into the Fortigate.

e.g . Importing a wildcard certificate into the Fortigate
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Worried about if Apple can protect your documents, photos, and everything else that gets stored in iCloud? Read on to find out what Apple really uses to make things secure.
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses
Course of the Month12 days, 10 hours left to enroll

972 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question