Common Practices

Fireware Pro

Configurations and examples

Firebox SSL VPN

Firebox Core SSL VPN

Firebox X Core/Edge

Setup -

Branch Office VPN (IPSec) - Firebox/Soho

Proxy Configuration

Webblocker Configuration

Remote User configuration using MUVPN & PPTP

Spamscreen®

High Availability

Troubleshooting -

Firebox X Resetting

Rebuilding your configuration

Backing Up/Restoring your Firebox Image.

WatchGuard Support Programs

Top

How to use the Microsoft CA Server to create and install a certificate on your SSL VPN 5.0

Created: Nov 12, 2006                       Contributed by Jerry Hwang

This document is valid for the WatchGuard SSL VPN 5.0

Summary

This document provides information on how to us Microsoft Certificate server for use with WatchGuard SSL VPN Gateway. These steps were taken on a Windows 2003 Server with the Microsoft Certificate Authority component installed.

Network Setup:
Firebox SSL VPN Gateway
Eth0: 10.20.30.40
Eth1: 192.168.1.1

MS Certificate Server / Resource server
192.168.1.2

SSL VPN Admin Tool / SSL VPN Client
10.20.30.41

Procedure
1. Install/Start Certificate Authority or install the Certificate Authority component.

2. Select ‘Stand-alone root CA’
Note: If you use Active Directory, you are advised to select Enterprise root CA.

3. I will use ssl.seattle.com for SSL VPN Gateway FQDN.

4. You may keep this setting.
Note: Currently, Windows OS is installed in the D: drive.

5. Generate .csr on SSL VPN Gateway

6. Save the myserver.csr locally

7. Go to MS Certificate site to request for Server certificate for SSL VPN Gateway.
http://192.168.1.2/certsrv

Select ‘Request a certificate’

8. Select ‘Advanced certificate request’

9. Select ‘Submit a certificate request by using a base-64-encoded…’

10. Open ‘myserver.csr’ file and copy the whole contents.

11. Paste it like below.

12. Request is done.

Now go to MS CA Mgmt UI to issue the pending request.

13. Issue the pending certificate request.

14. Now, you need to download the issued certificate.

15. Click the issued certificate.

16. Download certificate.

17. Save it locally as certnew.cer

Now you go to SSL VPN Gateway again with the certnew.cer file.

18. Open the certnew.cer file and copy the whole contents.

19. Paste in a new text file and name it as seattle.crt.

20. Upload it to SSL VPN Gateway.

21. Browse the ‘seattle.crt’ file and upload it.

22. You will see the certificate upgrade successful.

And now each SSL Client needs to have the MS certificate server as its root CA that is mostly done in the customer site.

Go to http://192.168.1.2/certsrv to trust certificates issued from the 192.168.1.2 Certificate Authority.

22. Click ‘Install this CA certificate chain’.

23. Customers are supposed to know how to install this CA certificate chain to their users’ web browser.

And the below are the general SSL VPN setting for Secure Access Client mode and Kiosk mode.

24. Local authentication and authorization setting.

25. ‘Group1’ setting for user ‘rickylee’

26. Kiosk setting

Secure Access Client access

Now if the SSL user try to access https://ssl.seattle.com, he will see the certificate is issued by trusted CA and certificate date is valid and name on the certificate matches the name of the site. So everything is valid and also you won’t see the security warning by ‘Secure Access Client’ agent.

Kiosk mode access (JRE 1.5.09)

1. Download the latest JRE 1.5.09 from http://java.sun.com/javase/downloads/index.jsp and install. (jre-1_5_0_09-windows-i586-p.exe)

2. Java JVM Security will not allow an SSL connection to be established unless the certificate was issued by an authorized certificate authority (i.e. Verisign, Thawte, etc), so in this case, your private Microsoft CA server is not a public CA, you have to import the root CA for MS certificate server to JRE keystore.

Note: To check 'Signer CA' supported by JRE by default, Go to the Conttrol panel and then look at the JAVA Plug-in setting. Click on Certificates and then Signer CA.
Note: The default supported CA is Baltimore, Entrust, Equifax, GeoTrust, GoDaddy, GTE CyberTrust, Starfield, Thawte, Valicert, Verisign, RSA (as of jre1.5.09)

3. To download the root CA for MS certificate server, you may try this way.

# After accessing the SSL VPN portal page, you can see the lock icon at the right bottom, then doubleclick it.

4. Saved the root cert as F:\mscert.cer
Note: You may save to another location such as C:\

5. Run 'keytool' to add the root cert to Java Keystore
D:\Program Files\Java\jre1.5.0_09\bin\keytool -import -trustcacerts -keystore ..\lib\security\cacerts -storepass changeit -alias MyRoot -file F:\mscert.cer

Now you can now connect and use 'Kiosk mode'.

Kiosk mode access (JRE 1.4.2.12)

1. Download the JRE 1.4.2.12 from http://java.sun.com/j2se/1.4.2/download.html and install. (j2re-1_4_2_12-windows-i586-p.exe)

2. D:\Program Files\Java\j2re1.4.2_12\bin\keytool -import -trustcacerts -keystore ..\lib\security\cacerts -storepass changeit -alias MyRoot -file F:\mscert.cer

# Additional note: Whenever your Java JRE is upgraded to the new version,

You must run the above procedure again for the update. That is, when you install the JAVA JRE, it also sets itself up to auto-update. For example, you installed the 1.4.2_12 JRE. Almost immediately after installation, it would prompt you to upgrade to 1.5.0_06. Each installation of SUN's JAVA JRE also installs it's own cacerts file. So you need to run the keytool utility against the newly upgraded cacerts file, then it will work.

And the path also needs to be changed like, D:\Program Files\Java\jre1.5.0_06\bin\keytool -import -trustcacerts -keystore ..\lib\security\cacerts -storepass changeit -alias MyRoot -file F:\mscert.cer

Top      User Forum