D-Link DFL-260 Product Manual - Page 434
CA Server Access, CA server, CRL Distribution Point, Fully Qualified Domain Name, ca.company.com
UPC - 790069296802
View all D-Link DFL-260 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 434 highlights
9.6. CA Server Access Chapter 9. VPN 9.6. CA Server Access Overview Where certificates are used, the two sides of a VPN tunnel exchange their certificates during the tunnel setup negotiation and either may then try to validate the received certificate by accessing a CA server. A certificate contains a URL (the CRL Distribution Point) which specifies the validating CA server and server access is performed using an HTTP GET request with an HTTP reply. (This URL is more correctly called an FQDN - Fully Qualified Domain Name.) CA Server Types CA servers are of two types: • A commercial CA server operated by one of the commercial certificate issuing companies. These are accessible over the public Internet and their FQDNs are resolvable through the public Internet DNS server system. • A private CA server operated by the same organization setting up the VPN tunnels. The IP address of a private server will not be known to the public DNS system unless it is explicitly registered. It also will not be known to an internal network unless it is registered on an internal DNS server. Access Considerations The following considerations should be taken into account for CA server access to succeed: • Either side of a VPN tunnel may issue a validation request to a CA server. • For a certificate validation request to be issued, the FQDN of the certificate's CA server must first be resolved into an IP address. The following scenarios are possible: 1. The CA server is a private server behind the NetDefend Firewall and the tunnels are set up over the public Internet but to clients that will not try to validate the certificate sent by NetDefendOS. In this case, the IP address of the private server needs only be registered on a private DNS server so the FQDN can be resolved. This private DNS server will also have to be configured in NetDefendOS so it can be found when NetDefendOS issues a validation request. This will also be the procedure if the tunnels are being set up entirely internally without using the public Internet. 2. The CA server is a private server with tunnels set up over the public Internet and with clients that will try to validate the certificate received from NetDefendOS. In this case the following must be done: a. A private DNS server must be configured so that NetDefendOS can locate the private CA server to validate the certificates coming from clients. b. The external IP address of the NetDefend Firewall needs to be registered in the public DNS system so that the FQDN reference to the private CA server in certificates sent to clients can be resolved. For example, NetDefendOS may send a certificate to a client with an FQDN which is ca.company.com and this will need to be resolvable by the client to a public external IP address of the NetDefend Firewall through the public DNS system. The same steps should be followed if the other side of the tunnel is another firewall instead of being many clients. 434