Global VPN Client How to Use Certificates for Additional Security The usage of certificates is not a subject one should not think of lightly. There are multiple ways to implement certificates for additional security and on different places. This technote handles the part where certificates are used with a Microsoft AD in combination with the Global VPN client version 3 from sonicwall. - DHCP over VPN, the sonicwall as a DHCP server - Xauth using LDAP (which in this case is already configured for usage) - Administrator privileges on AD controller In some cases it is required to lower among others the IE security settings. It might also be there are Microsoft and or administrator specific issues, not part of the scope of support. The following subjects will be discussed: 1. Installing Certificate Services 2. Retrieve Root Certificate 3. Import the Root Certificate into a Sonicwall TZ170e 4. Add a Signing Request 5. Sign the request to a valid certificate 6. Import Signed Certificate 7. Request and Install a user Certificate on remote computer 8. Export user certificate for usage in Global Client 9. Sonicwall Group VPN policy configuration 10. Import user certificate into the Global Client
1. Installing Certificate Services First step will be to install the certificates services on your Domain controller. In this example the AD is also installed on this domain controller. For this service to work, IIS is mandatory 1. To add the service, go to the control panel and open the add and remove programs part. 2. Go to add/remove windows components - components. 3. Tick the checkbox on certificate services (in details you can see both services are activated). 4. During the installation it will disable the IIS service when active, please make sure after installation the IIS service are activated again.
2. Add Root Certificate On your domain controller open a web browser and go to http://127.0.0.1/certsrv. select Retrieve the CA certificate or certificate revocation list. In the screenshots that were used for this technote, port 90 is used for the default website so you may notice this port, located in different URL s. In a basic situation the additional port in the url is not needed as port 80 for http is default.
Next step will be to download the root CA. Press Download CA Certificate and leave it on DER encoded. When downloading the Root CA certificate, please choose the location where you want to save the certificate.
3. Import the Root Certificate into a Sonicwall TZ170e For importing this certificate into a sonicwall.. we used a TZ170 enhanced with firmware 3.1.0.11 e. The certificate is saved on the local hard drive, so it can be imported like this: Press Import.
Make sure you have selected the second choice: Import a CA certificate from a PKCS#7 (.p7b),pem (.pem) or DER (.der or.cer) encoded file. Once selected browse to the location where you have saved the Root CA.
Hit the import button.
Once imported you should see the following screen where your Root CA is listed:
4. Add a Signing Request Now that the Root CA has been imported, a local certificate for the sonicwall is needed. So please go to system certificates and press the New Signing Request button:
In the following screen the request needs to be filled out with the appropriate settings. In this example we chose a 1024 bits key which we used later on as well, press generate to complete the request.
Once the request is made, it needs to be exported for signing.
When exporting, you can choose a location where you want this to be saved. The certificate property changes in this procedure to a p10 format.
Once saved the type for the certificate signing request changes to Pending request and the certificate is ready to be validated by the CA.
5. Sign the request to a valid certificate The pending request will be signed like this: Go to http://127.0.0.1/certsrv and select - request a certificate, followed by - advanced request.
Choose the option in the middle.
In the screen that follows, you have 2 options to submit the request, you can either browse to the location where you saved the pending request (p 10) or you can edit that file and copy - paste the contents. In this example we choose browse.
Now you can download the signed CA certificate to a location on your hard drive. Once completed you can import the signed request into the sonicwall. This will be handled in the next section.
6. Import Signed Certificate At this point the certificate is signed and ready to be uploaded. The following section shows how to do this. Log into the sonicwall and go to system - certificates.
On the pending request press the upload button indicated by the red circle. You will then get the additional browse screen. Click the browse button and go to the location where you have saved the signed request, as illustrated below.
After upload you will see that the Certificate has been validated. On the section validated you will see yes if no is visible follow the previous steps for completion.
7. Request and Install a user Certificate on remote computer In the previous chapters we have created a Root CA and a Certificate for the sonicwall itself. Now it is time to make the user certificate. This certificate needs to be imported afterwards in the Global Client as well as the Root CA. There are several ways to provide the user certificate to the remote user s computer. The fastest and easiest way will be described in the following section. For other methods and additional information, please visit the Microsoft web page www.microsoft.com. On your domain controller go to http://127.0.0.1/certsrv
Check the administrator here. In this example we use the administrator. Also check the key for 1024 bits. We used 1024 previously in this technote. The next important thing is to mark the keys as exportable. This way, when the certificate is imported, the fields for the private key will not be grayed out.
After submitting, click yes on the pop up and install the certificate indicated on the next page.
8. Export user certificate for usage in Global Client The user certificate has been installed in the web browser of the domain controller in this example. The following steps show how the certificate can be exported from the browser to a file. This will be in pfx format and can later on be imported in the Global VPN client. Please go to your internet explorer s internet options. Go to content and certificates. You will see the certificate in the personal tab. Click on it and export to a file using the wizard:
You are almost done with the configuration of certificate usage for the global client. The next step will be the configuration of the Group VPN policy in the sonicwall
9. Sonicwall Group VPN policy configuration In this section you configure the Group VPN policy to use the certificate First go to system certificates and press the diskette icon on the local certificate. You will get the following screen. In this example we use the distinguished name. Copy the distinguished name including the slash / at the start of the string. The string you will use will be complete of course. In this technote some entries were deleted.
After copying the distinguished name string, go to VPN - group VPN and configure the policy. Change the IPsec keying mode from IKE using preshared secret into IKE using 3 rd Part Certificates. Change the Peer ID type into the distinguished name. Change the value <NULL> into the string you copied earlier.
Press OK.
10. Import user certificate into the Global Client When the remote PC has the *.pfx file and the root CA.cer file, open up the global client and go to view certificate manager and import both files accordingly. The root ca should go to Trusted root CA and the *.pfx file goes to user certificate. Once imported, open a connection with the global client. When prompted import the user certificate and use the password for this certificate. Created by Mohammed Ouadar Jasper Krenning Sonicwall EMEA Technical support