topic Re: ICA Management Tool in Firewall and Security Management

ICA Management Tool

Jack_Prenderga1 — Thu, 12 Apr 2018 11:07:13 GMT

Hello.

When I try create and download certificates, or edit the CA settings, I get this

The URL you requested could not be found on this server.

This is when I am connected to the ICA management tool on 18265.

Any advice?

Re: ICA Management Tool

Danny — Thu, 12 Apr 2018 12:37:14 GMT

The ICA Management Tool is disabled by default. You can enable it on the CLI of your SmartCenter Server.

Example: cpca_client set_mgmt_tool on -no_ssl

Access the WebUI of your ICA Management Tool via : http://<ip-of-your-smartcenter>:18265

cpca_client [-d] set_mgmt_tool on|off [-p <ca_port>] [-no_ssl]
[-a|-u "administrator|user DN" ... ]
* on starts the ICA Management Tool (on port 18265)
* off stops the ICA Management Tool
* -p specifies a different port to access the ICA Management Tool
* -no_ssl starts the ICA Management Tool on http instead of https
* -a "administrator DN"

Sample screenshot:

If your issue remains, try to work on CLI only by using the following commands:

cpca_client lscert

cpca_client create_cert

cpca_client revoke_cert

Re: ICA Management Tool

Jack_Prenderga1 — Thu, 12 Apr 2018 12:46:28 GMT

Danny,

thanks for your reply.

it is enabled. I can connect to the tool, and get the same pages as you provided. Whenever I try download a certificate, it comes up the error above. A few other parts to the site display the same error too.

if I did it via clish, how would I download the cert? Or retrieve it?

Re: ICA Management Tool

Jack_Prenderga1 — Thu, 12 Apr 2018 12:46:59 GMT

In addition, I do have SSL enabled. Should I disable it as you said above?

Re: ICA Management Tool

Danny — Thu, 12 Apr 2018 12:48:31 GMT

That's what I suggested to try. May I ask what you are trying to do with the ICA Management Tool that SmartDashboard can't?

You would copy certs off your SmartCenter's CLI via scp of course.

Re: ICA Management Tool

Jack_Prenderga1 — Thu, 12 Apr 2018 13:17:15 GMT

You maybe able to help me here actually.

I am setting up the authentication for mobile remote access. I want all corporate machines, connection to the IPSEC VPN to have a personal certificate, and also RADIUS auth.

I know there is an option under multiple auth for cert+user and password.

I believe the 'personal certificate' part needs to be created by the internal CA, hence why I am trying to log into the ICA.

Am I doing this wrong? I want 1 generic certificate that I can generate and deploy via group policy to all corporate machines, so non-corporate machines can not connect, regardless if they can authenticate via RADIUS.

1) Would this work?

2) Is this the best way to do it?

Danny - your help is appreciated. I feel like I am running around in circles at the moment.

Re: ICA Management Tool

Danny — Thu, 12 Apr 2018 13:27:51 GMT

Typically you'd create personal certificates within SmartDashboard within the User Properties of your User Accounts.

Re: ICA Management Tool

Jack_Prenderga1 — Thu, 12 Apr 2018 13:34:19 GMT

Okay, I have a question for you then.

So, as above, we need a certificate for machines, not users. We may have multiple users over the year using the same corporate laptop. We need 1 certificate we can deploy across all corporate machines, so its locked and stored there, and deployed via group policy.

If I did it that way, through SmartDashboard, how could I create 1 generic one for machines, and not tie it to single users? We have over 4000 employees, and 3000 corporate laptops. Obviously it would be impossible deploy a certificate for every user, or every machine.

1 generic one would do the trick. Any clues?

Thanks again.