Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Advisor

SSL VPN Certificates

I have a question re SSL VPN certificates - using 3rd party certificates.

My understanding is that if you use SNX you generate the CSR via the IPSec VPN page, get the valid cert, then "complete" the cert via the IPsec VPN page.  This certificate has no bearing on Mobile Access.

If you enable Mobile Access, you generate the CSR via the command line, get the cert, then import it via the Platform Portal page.  So this is a different cert to what SNX would use.

My customer currently uses SNX (not MAB) and has a certificate for that, with 200 clients connecting using the VPN client.  That's working well.  But now they're interested in Mobile Access which would require purchasing another certificate.  

Will enabling MAB and installing a new certificate cause the existing VPN clients to moan?

Will the new MAB certificate override what the existing VPN clients see when connecting (and cause a certificate mis-match type error message to pop up for the users)?

Is there a way to use the same certificate for both the IPSec and Platform Portal tabs?

 

 

8 Replies
Highlighted
Leader
Leader

You can use the same certificate. Import your existing certificate to the MOB-configuration via SmartConsole.

If the SNs in the certificate will match again the MOB-Portal DNS-name everything should fine.

And yes you're right, if you enable MOB you get the certificate from the MOB-Portal.

What did you mean with VPN-clients ? SNX is clientless SSL VPN, only the small ssl-extender agent is installed, not a real VPN client.

Wolfgang

Highlighted
Contributor

Hello, Wolfgang

I installed new ssl certificate for Mobile Access in gateway properties Mobile Access --> Portal Settings --> Certificate --> Replace

As I understand this shouldn't have affected setting for vpn clients. Certificate for vpn clients is specified in gateway properties VPN clients --> the gateway authenticates with this certificate

But Endpoint Security vpn client get this error: The site's security certificate is not trusted

Therefore gateway use Mobile Access certificate for vpn clients and don't use certificate for vpn clients

Could you please explain is it normal behavior or bug?

 

 

0 Kudos
Highlighted
Leader
Leader

@Maxim_Medvedev 

yes, this is normal behaviour.

The first connection from the  endpoint-client is a SSL handshake with the gateway. If MOB-blade is activated, this will be done with the MOB certificate.

Same behaviour is described here:

Mobile Access certificate fingerprint presented on Remote Access client 

Wolfgang

Contributor

Thank you, now it's clear, this sk is very helpfull
Another question on the topic:
Would gateway work correctly with wildcard certificate like *.mydomain.com?
Whether full DNS name matching is required?
For Example mobile access portal has DNS name sslvpn.mydomain.com and vpn site has vpn.mydomain.com
0 Kudos
Highlighted
Leader
Leader

@Maxim_Medvedev 

yes, that works.

Wolfgang 

Highlighted
Leader
Leader

IPSec does not use SSL Certificate
MAB uses either SSL Cert or IPSec host-based-cert.
I think you need to learn a little about the MAB and Remote Access security from CP ...

seach support site for sk's about MAB.
Jerry
0 Kudos
Highlighted
Leader
Leader

Hello Jerry,

you're right with your answer, 

But as I understand Matt, he is already using SNX (SSL extender) and for this an SSL certificate is in use.

And this same certificate can be used to import in the MAB. You can use there the one created from SmrtCenters CA or from a Third Party.

Wolfgang

0 Kudos