Introduction SSL-VPN. Creating and Installing Digital Certificates on SonicWALL SSL-VPN Appliances



Similar documents
Using Microsoft s CA Server with SonicWALL Devices

Installing an SSL Certificate Provided by a Certificate Authority (CA) on the BlueSecure Controller (BSC)

TechNote. Contents. Overview. Using a Windows Enterprise Root CA with DPI-SSL. Network Security

Installing an SSL Certificate Provided by a Certificate Authority (CA) on the vwlan Appliance

SonicWALL SSL VPN 3.5: Virtual Assist

APNS Certificate generating and installation

Using Remote Web Workplace Version 1.01

Renewing an SSL Certificate Provided by a Certificate Authority (CA) on the vwlan Appliance

Using different Security Policies on Group Level for AD within one Portal. SSL-VPN Security on Group Level. Introduction

Thirtyseven4 Endpoint Security (EPS) Upgrading Instructions

Generating a Certificate Signing Request (CSR) from LoadMaster

CTERA Portal Datacenter Edition

SSL VPN Service. To get started using the NASA IV&V/WVU SSL VPN service, you must verify that you meet all required criteria specified here:

Weston Public Schools Virtual Desktop Access Instructions

Global VPN Client Getting Started Guide

Citrix Access on SonicWALL SSL VPN

Chapter 7 Managing Users, Authentication, and Certificates

Installing and Configuring vcloud Connector

SSL-VPN 200 Getting Started Guide

How to Configure NetScaler Gateway 10.5 to use with StoreFront 2.6 and XenDesktop 7.6.

Crystal Print Control Installation Instructions for PCs running Microsoft Windows XP and using the Internet Explorer browser

IIS 6.0SSL Certificate Deployment Guide

SSL Certificates and Bomgar

Intel vpro Technology. How To Purchase and Install Symantec* Certificates for Intel AMT Remote Setup and Configuration

Microsoft OCS with IPC-R: SIP (M)TLS Trunking. directpacket Product Supplement

Windows and MAC User Handbook Remote and Secure Connection Version /19/2013. User Handbook

Using Internet or Windows Explorer to Upload Your Site

isupplier PORTAL ACCESS SYSTEM REQUIREMENTS

Quick Start Guide FLIR Firmware Update Tool

Application Note AN1502

Internet Explorer 7 for Windows XP: Obtaining MIT Certificates

1. Open the preferences screen by opening the Mail menu and selecting Preferences...

Global VPN Client Getting Started Guide

VPN Connection and Configuration

VPN Web Portal Usage Guide

SSL Management Reference

AutoInstall SSL FAQs for End Users

Dell SonicWALL SRA 7.5 Secure Virtual Meeting and Secure Virtual Assist

PCLaw Administration Guide. Version 13.0

LoadMaster SSL Certificate Quickstart Guide

Remote Access Services Microsoft Windows - Installation Guide

Federated Identity Service Certificate Download Requirements

Setting up a Virtual Private Network (VPN) connection Windows 8

Certificate technology on Pulse Secure Access

ATTENTION: End users should take note that Main Line Health has not verified within a Citrix

Director and Certificate Authority Issuance

UMMS SSL VPN Instructions

Certificate technology on Junos Pulse Secure Access

SSL VPN Support Guide

Network Connect Installation and Usage Guide

Ajera 7 Installation Guide

Scenarios for Setting Up SSL Certificates for View

How to install/upgrade the LANDesk virtual Cloud service appliance (CSA)

Installing SQL Express. For CribMaster 9.2 and Later

2. PMP New Computer Installation. & Networking Instructions

Manufacturing Representative SSL VDM Login User s Guide

ESET SECURE AUTHENTICATION. SonicWall SSL VPN Integration Guide

Cox Managed CPE Services. RADIUS Authentication for AnyConnect VPN Version 1.3 [Draft]

Recommended Browser Setting for MySBU Portal

VPN User Guide. For Mac

How To Use Senior Systems Cloud Services

Installing and Configuring vcloud Connector

Manual for configuring NIC VPN in Windows OS

Exchange 2010 PKI Configuration Guide

Appendix E. Captioning Manager system requirements. Installing the Captioning Manager

Contents. VPN Instructions. VPN Instructions... 1

How to Set Up SSL VPN for Off Campus Access to UC eresources

Analyzer 7.1 Administrator s Guide

ASA 8.x Manually Install 3rd Party Vendor Certificates for use with WebVPN Configuration Example

Wavecrest Certificate

Installation and Setup Guide

For more information refer: UTM - FAQ: What are the basics of SSLVPN setup on Gen5 UTM appliances running SonicOS Enhanced 5.2?

How to install and use the File Sharing Outlook Plugin

Charter Business Desktop Security Administrator's Guide

WatchDox for Windows User Guide. Version 3.9.0

Installation and Troubleshooting Guide for SSL-VPN CONNECTIONS Access

SonicWALL SRA Virtual Appliance Getting Started Guide

Symantec PGP Whole Disk Encryption Hands-On Lab V 3.7

Driver Updater Manual

OpenClinica SSL VPN Access New User Setup Guide

How To Configure CU*BASE Encryption

Release Notes. Contents. Release Purpose. Platform Compatibility. Windows XP and Internet Explorer 8 Update

PCLaw Administration Guide

Cognos 10 Getting Started with Internet Explorer and Windows 7

TechNote. Contents. Introduction. System Requirements. SRA Two-factor Authentication with Quest Defender. Secure Remote Access.

Creating an Apple APNS Certificate

Learning the Basics of Citrix Web Interface 4.6, Citrix Secure Gateway 3.1 and GoDaddy Wildcard SSL Certificate

MyNetFone Virtual Fax. Virtual Fax Installation

Internet Remote Access FirePass SSL VPN

VPN User Guide. For Mac

How to Order and Install Odette Certificates. Odette CA Help File and User Manual

Using iscsi with BackupAssist. User Guide

PC Instructions for Miller LiveArc Software

Securing Microsoft Exchange 2010 with Symantec SSL Certificates

Generating an Apple Push Notification Service Certificate for use with GO!Enterprise MDM. This guide provides information on...

How to Order and Install Odette Certificates. Odette CA Help File and User Manual

Installing LearningBay Enterprise Part 2

How To Enable A Websphere To Communicate With Ssl On An Ipad From Aaya One X Portal On A Pc Or Macbook Or Ipad (For Acedo) On A Network With A Password Protected (

As your financial institution completes its system conversion, you

How to Order and Install Odette Certificates. Odette CA Help File and User Manual

Transcription:

SSL-VPN Creating and Installing Digital Certificates on SonicWALL SSL-VPN Appliances Introduction The SonicWALL SSL-VPN appliance comes with a pre-installed self-signed X509 certificate for SSL functions. A selfsigned certificate provides all the same functions as a certificate obtained through a well-known certificate authority (CA), but the user s web browser will present an "untrusted root CA certificate" security warning until the self-signed certificate is imported into their trusted root store (see Figure 1 below). This import procedure can be performed by the user by clicking the Import Certificate button within the portal after authenticating. Figure 1 Browsers warn of untrusted certificate (Internet Explorer 6.x, Firefox 2.x, and Internet Explorer 7.x)

The primary drawback of using untrusted default certificates is that every single user will have to perform this task -- for every browser they use. Also, users tend to be wary (and rightfully so) of security pop-up warnings and may be inclined to click on the No or Cancel buttons. This creates a support hassle for both the administrator(s) of the SSL-VPN appliance and for users of the device alike. The alternative to using the self-signed certificate is to generate a certificate signing request (CSR) and submit it to a wellknown CA for valid certificate issuance. Well-known CAs include Verisign (www.verisign.com) and RapidSSL (www.rapidssl.com). Certificate prices range from $75 - $1,000 a year depending on the vendor and option packages. In this whitepaper we will show you how to use RapidSSL to purchase and install trusted certificates onto the SonicWALL SSL-VPN appliance, as RapidSSL is inexpensive and does not use intermediate certificates. You may use certificates from other vendors, or even make your own, as long as they are x509v3-compliant. Recommended Versions SonicWALL SSL-VPN Firmware 1.5.0.3 or newer Customers with current service/software support contracts can obtain updated versions of SonicWALL SSL-VPN Firmware at https://www.mysonicwall.com. Updated SonicWALL SSL-VPN Firmware is also freely available to customers who have registered the SonicWALL SSL-VPN appliance on MySonicWALL for the first 90 days. Caveats SonicWALL SSL-VPN appliances must reboot when activating new certificates. Please make arrangements for network downtime when installing and activating your new certificate. Certificates and keys are not stored in the preferences file, and cannot be exported once installed. Please keep the original copies of the CSR, server.key, and server.crt in a secure location. RapidSSL has an option package to display a SiteSeal link on the front page of a website. This functionality is not supported in any current version of the SSL-VPN firmware, but will be included in a future release. Please DO NOT attempt to add the SiteSeal code to the Portal Layout Login Message section, as it will corrupt the settings for the Portal Layout. Deployment Prerequisites On the SonicWALL SSL-VPN appliance: Create backup image on SSL-VPN appliance (not supported on SSL-VPN 200) Export settings and store in safe place Install firmware 1.5.0.3 or newer Other items to note before you begin: This process will take about one hour, end to end, and will require reboots. Please plan accordingly with your users for a network downtime window of two hours to be safe. You will need a valid credit card number to purchase the certificate from RapidSSL You will need a valid email address so that RapidSSL can email you during the certificate generation process You will need a working phone number so that RapidSSL s automated system can contact you during the certificate generation process You will need a workstation with browser and Internet connectivity SonicWALL does not provide technical support for any certificate authority vendor. If you encounter issues with the certificate generation process, you will need to contact your certificate vendor. 2

Deployment Tasklist Adjust management workstation s browser settings Create backup image on SSL-VPN appliance Export settings on SSL-VPN appliance Upload new software onto SSL-VPN appliance Configure workstation browser to accept pop-ups from SSL-VPN appliance Create CSR and save to desktop Extract server.csr file, save to desktop, open, and copy contents to clipboard Extract server.key and save to desktop Purchase certificate from RapidSSL Retrieve signed certificate from email and convert to server.crt file Create certkey.zip file containing server.key and server.crt file Import certkey.zip file into SSL-VPN appliance Activate new certificate and reboot Test to ensure new certificate is active Store server.csr, server.key, and server.crt in safe place Procedure Step 1. On the management workstation, configure the web browser to accept pop-ups from X0 IP address of the SSL- VPN appliance if you will be managing the device from the internal network, or from the mapped public IP address/fullyqualified domain name if managing the device externally. For an example, see Figure 2 below. If you do not complete this step, you will have issues exporting the settings and CSR files from the SSL-VPN appliance. Figure 2 Configuring management browser to accept pop-ups from SSL-VPN appliance 3

If your management workstation is Windows XP or Windows 2003, you will also need to configure Microsoft Internet Explorer to allow downloads. This procedure will allow Web sites to automatically prompt you when downloading files and software (bypassing the Information Bar). a. Open Internet Explorer. b. On the Tools menu, click Internet Options. c. On the Security tab, click Custom Level. d. Do one or both of the following: To turn off the Information Bar for file downloads, in the Downloads section of the list, under Automatic prompting for file downloads, click Enable. To turn off the Information Bar for ActiveX controls, in the ActiveX controls and plug-ins section of the list, under Automatic prompting for ActiveX controls, click Enable. Step 2. Log into the SSL-VPN appliance s System > Settings page, click on the Store Settings button, and then click on the Create Backup button. This process takes 1-2 minutes to complete. Step 3. On the same page, click on the Export Settings button. The SonicWALL SSL-VPN appliance will export two settings files into a ZIP file. Save this to the desktop we will be saving this file, and others, in an upcoming step. Step 4. Download firmware version 1.5.0.3 or newer for your SSL-VPN 200, SSL-VPN 2000 or SSL-VPN 4000 appliance from the MySonicWALL customer portal. On the SSL-VPN appliance s System > Settings page, click on the Upload New Firmware button and upload this new firmware to the device. The upload and reboot process may take 5-10 minutes to complete. When the SSL-VPN appliance has rebooted, log back in to ensure the device is functioning, test all bookmarks and the NetExtender client. Step 5. Go to the System > Certificates page and click on the Generate CSR button. On the pop-up that appears, fill out all fields you will need to populate all fields please note that some Certificate Authorities require that the State: field be filled out with the full state name and not the abbreviation. NOTE: The most important field is the Domain Name (FQDN): field, as this is the name that needs to be mapped to the SSL-VPN appliance s external public IP address, and is the name that users will use to access the SSL- VPN appliance portal(s). In the example on the next page (See Figure 1), the SSL-VPN appliance uses a fully-qualified domain name (FQDN) of waffle.vpntestlab.com, which in the authoritative DNS servers for the vpntestlab.com domain is mapped to the SSL- VPN s external public IP address. You will also need to create a password to protect the key being generated please note this password as it will be used in an upcoming step, and will be used any time in the future you need to re-import the certificate and key. 4

Figure 3 Filling out the CSR before submitting to the CA Step 6. When done, click on the Submit button. It will prompt you to save csr.zip save this to the desktop. Step 7. Open up csr.zip and copy contents of csr.zip using a text editor such as Notepad (do *not* use WordPad or Microsoft Word), or to the clipboard. The output will look like this: -----BEGIN CERTIFICATE REQUEST----- MIIB5jCCAU8CAQAwgaUxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh MRIwEAYDVQQHEwlTdW5ueXZhbGUxEjAQBgNVBAoTCVNvbmljV0FMTDERMA8GA1UE CxMIU1dFTkdMQUIxITAfBgNVBAMTGHRhcmFudHVsYS52cG50ZXN0bGFiLmNvbTEj MCEGCSqGSIb3DQEJARYUYWRtaW5AdnBudGVzdGxhYi5jb20wgZ8wDQYJKoZIhvcN AQEBBQADgY0AMIGJAoGBAOYzkf4JJ/41RVSrV8JnAAzUINPJqWgpnF/Ecj+QzrhT zxzlc0nqngx9hqltbqe3ypnnxj77sd1ttf/pajvkb1d4ui/dg4l7t5ujyypvyey0 g4uz8gme6es6ucln+wxj2htzgd7lm8zqq9b4p/r0rbnx6ellvtiveopm0vadudan AgMBAAGgADANBgkqhkiG9w0BAQQFAAOBgQCdL1G5bjkQgnT02nj08TRhR62vb/76 S3DF9djN1wpjzKg4V9fZEy8dGHYDyEXv8Wh+OrmL6BvyH8nSF0fBBpiejEPUGAe2 wwfzihruxzep5wtxtkwdh+i88k+7458bpz48onm8dkz29oantjmf1pe/nawtmocw eumm2w4rgwr0gw== -----END CERTIFICATE REQUEST----- 5

Step 8. Now you are ready to purchase and create your digital certificate. Using a web browser, go to: https://products.geotrust.com/orders/rapidssl.do?ref=freesslnsupport Please note that this step is a fairly complex process involving multiple pages, several emails, and an automated phone call, but if you follow the steps and instructions on their site carefully, it doesn t take that long. As noted before, you will need credit card, valid email address, and working phone number where you can be reached to complete this step. When you are ready, choose the Validity Period for the certificate this simply means how long the certificate will be good for. We recommend that you purchase a certificate good for two or three years otherwise you will have to redo this in a year (trust us, you will forget, and one day you ll get a bunch of confused and/or irate phone calls from users getting certificate warnings from the expired certificate). Under Renewal select the radio button next to Initial Order, and under Competitive Replacement select the radio button next to No, I can t take advantage of this order. In Figure 4 below, the Starter SSL w/siteseal package has been chosen with the 2 years option. Figure 4 Choosing a RapidSSL SSL Certificate Package 6

Step 9. Scroll to the bottom of this page, as there are a few more options. Under Reissue Insurance, you can either choose to get insurance or not this is entirely up to you. Under Server Licenses select 1 from the drop-down. For an example see Figure 5 below. When you are ready, click on the Continue button to move to the next step. Figure 5 Choosing a RapidSSL Certificate Package, continued 7

Step 10. Paste the CSR contents from the clipboard into the Certificate Signing Request box. For an example see Figure 6 below. When you are ready, click on the Continue button to move to the next step. Figure 6 Entering the CSR. 8

Step 11. Verify that the FQDN that you desire is listed on the screen. If not, you will need to go back to the SSL-VPN Appliance, redo the CSR, and replace it on this screen. For an example see Figure 7 below. Figure 7 Verifying your CSR. Step 12. Enter the details of your administrative, technical, and billing contact. You can choose to make these the same if you wish. Figure 8 Entering the Contact Info 9

Step 13. RapidSSL will do a domain lookup and determine the technical and/or administrative contacts. If it cannot find them it will prompt you to choose who will receive your certificate request for process approval. Figure 9 Approval Authority 10

Step 14. Enter a valid credit card. Figure 10 - Credit Card details Step 15. Review the order. Figure 11 Completed order 11

Check box I agree, then click on Submit Order button. Step 16. On the next page, enter in a phone number where you can now be reached, as an automated system needs to call you to finalize the certificate generation process. Do exactly what it says and watch the screen. When it verifies you, it will display a thank-you page and an order number. Write this order number down and close the browser. Step 17. Wait a few minutes, and then check your email you should have a bunch of emails from RapidSSL. Find the one whose subject line is RapidSSL Certificate Request Confirmation and open it click on the link it contains and click on the I approve button. This will finish the order process you will then receive an email containing the certificate in text format it will look like this (see below). -----BEGIN CERTIFICATE----- MIIDeDCCAuGgAwIBAgIDAzcOMA0GCSqGSIb3DQEBBAUAMFoxCzAJBgNVBAYTAlVT MRwwGgYDVQQKExNFcXVpZmF4IFNlY3VyZSBJbmMuMS0wKwYDVQQDEyRFcXVpZmF4 IFNlY3VyZSBHbG9iYWwgZUJ1c2luZXNzIENBLTEwHhcNMDYwMjEyMjExMjQ0WhcN MDcwMjEzMjExMjQ0WjCB5zELMAkGA1UEBhMCVVMxITAfBgNVBAoTGHRhcmFudHVs YS52cG50ZXN0bGFiLmNvbTE4MDYGA1UECxMvYnVzaW5lc3Nwcm9maWxlLmdlb3Ry dxn0lmnvbs9nzxquannwp0dumze0mzu1nzkxjzalbgnvbasthlnlzsb3d3cucmfw awrzc2wuy29tl2nwcyaoyykwntevmc0ga1uecxmmrg9tywluienvbnryb2wgvmfs awrhdgvkic0gumfwawrtu0wouikxitafbgnvbamtghrhcmfudhvsys52cg50zxn0 bgfilmnvbtcbnzanbgkqhkig9w0baqefaaobjqawgykcgyea5jor/gkn/jvfvktx wmcadnqg08mpacmcx8ryp5doufpndkslq1a2bf0eou1up7dik01epvux3vo1/88a lwrvuphqj92dgvu3m4nlkm/irjsdi5nyawtp6zpryu35zcnydnkz3sszznbd0hg/ 9HRFudfp4uVVOJV6g+bRUB24MA0CAwEAAaOBvTCBujAOBgNVHQ8BAf8EBAMCBPAw HQYDVR0OBBYEFN5wVYtLyJ+XC7LBpPggFvfnlhWnMDsGA1UdHwQ0MDIwMKAuoCyG Kmh0dHA6Ly9jcmwuZ2VvdHJ1c3QuY29tL2NybHMvZ2xvYmFsY2ExLmNybDAfBgNV HSMEGDAWgBS+qKB0clBrRLfJI9j7qP+zV2tobDAdBgNVHSUEFjAUBggrBgEFBQcD AQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQQFAAOBgQBQuZcW A4B6SsPwbJ8w0nYyc9XH9LaoKGFUQubI0k9wGmJWSfz+RWzNMCX1pW6vwOAZ/t2C db0gqsxka6t00ncut9q/nfbcrumkculjj0t/wlzhluxzxwhzclex/ubxqii4kqx3 HDxugcjdesG6LLxFtq/WPUC9GToUXXfLXGil+g== -----END CERTIFICATE----- Step 18. Copy the certificate section from the email into a new notepad document and save it as server.crt to the desktop. Step 19. Now, open the other ZIP file and extract the server.key file. Create a new zipfile called certkey.zip and put server.crt and server.key into it (see Figure 12 below). Figure 12 Creating the ZIP file containing the key and certificate 12

Step 20. Login to SSL-VPN appliance and go to System > Certificates. Click on Import certificate button. In the pop-up that appears, select the certkey.zip file you just created and click on import. Figure 13 Certificate management on SSL-VPN appliance Step 21. If it is successful, the screen will now say pending. To activate the certificate, click on Configure icon next to new cert. You will be prompted to enter the password you entered when creating the CSR. Enter this and click on the Submit button. The screen will now say inactive (See Figure 14 below). Figure 14 Certificate management on SSL-VPN appliance NOTE: This next step will reboot the box. Select the Enable radio button next to the new certificate and click on the Apply button in the upper-right-hand corner. Step 22. After the reboot, log back in. You should no longer be getting the prompt. If you are using IE, locate the gold lock icon in the lower right hand side of the browser. If you click on this lock, you will see the certificate details. Step 23. Save all files from the previous steps to a secure location. You will need these files should you ever need to restore the SSL-VPN appliance s settings from default. Document created: 01/18/06 Last updated: 05/10/07 Version 1.5 13

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information