Setting up Certificate Authentication for SonicWall SRA / SMA 100 Series

Similar documents
Configuring the SMA 500v Virtual Appliance

Step-by-step installation guide for monitoring untrusted servers using Operations Manager

Workspace ONE UEM Integration with RSA PKI. VMware Workspace ONE UEM 1810

AirWatch Mobile Device Management

VMware AirWatch Certificate Authentication for Cisco IPSec VPN

Workspace ONE UEM Certificate Authentication for Cisco IPSec VPN. VMware Workspace ONE UEM 1810

VMware AirWatch Integration with RSA PKI Guide

VMware AirWatch Integration with SecureAuth PKI Guide

VMware AirWatch Certificate Authentication for EAS with ADCS

VMware AirWatch Certificate Authentication for EAS with NDES-MSCEP. For VMware AirWatch

Setting up Multiple LDAP Domains in SonicWall 6.5 Firmware without Partitioning.

VMware AirWatch Certificate Authentication for EAS with NDES-MSCEP

VMware AirWatch: Directory and Certificate Authority

20411D D Enayat Meer

Workspace ONE UEM Certificate Authority Integration with JCCH. VMware Workspace ONE UEM 1810

Configuring Windows 7 VPN (Agile) Client for authentication to McAfee Firewall Enterprise v8. David LePage - Enterprise Solutions Architect, Firewalls

SonicWall Secure Mobile Access SMA 500v Virtual Appliance 8.6. Getting Started Guide

Platform Compatibility... 1 Known Issues... 1 Resolved Issues... 2 Deploying the SRA Virtual Appliance... 3 Related Technical Documentation...

S/MIME on Good for Enterprise MS Online Certificate Status Protocol. Installation and Configuration Notes. Updated: November 10, 2011

Guide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1

Odette CA Help File and User Manual

Workspace ONE UEM Certificate Authority Integration with Microsoft ADCS Using DCOM. VMware Workspace ONE UEM 1811

Copyright

BROWSER-BASED SUPPORT CONSOLE USER S GUIDE. 31 January 2017

This help covers the ordering, download and installation procedure for Odette Digital Certificates.

Password Reset Utility. Configuration

Certificates for Live Data Standalone

Certificates for Live Data

Guide to Deploying VMware Workspace ONE. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1

VMware AirWatch Integration with Microsoft ADCS via DCOM

SCCM Plug-in User Guide. Version 3.0

ms-help://ms.technet.2004apr.1033/ad/tnoffline/prodtechnol/ad/windows2000/howto/mapcerts.htm

Guide to Deploying VMware Workspace ONE with VMware Identity Manager. SEP 2018 VMware Workspace ONE

Privileged Access Agent on a Remote Desktop Services Gateway

Wavecrest Certificate SHA-512

NetExtender for SSL-VPN

SRA Virtual Appliance Getting Started Guide

Windows Smart Card Logon Use Case

Module 9. Configuring IPsec. Contents:

Installation and Configuration Guide

Integrating IBM Security Privileged Identity Manager with ObserveIT Enterprise Session Recording

BitLocker: How to enable Network Unlock

Secure Web Appliance. SSL Intercept

Load Balancing VMware Workspace Portal/Identity Manager

SAML-Based SSO Configuration

Integrating AirWatch and VMware Identity Manager

Release Notes. Dell SonicWALL SRA Release Notes

Status Web Evaluator s Guide Software Pursuits, Inc.

Sophos Mobile Control Super administrator guide. Product version: 3.5

Install and Issuing your first Full Feature Operator Card

DNSSEC Deployment Guide

App Orchestration 2.6

Steps. Step [1]: Click Download Bulk Enrolment Package Icon. (OR) Go to ITSM > Bulk Installation Package

Installing and Configuring vcloud Connector

Certificate Management

Using SSL to Secure Client/Server Connections

VPN Client Configuration Guide

VMware AirWatch Integration with OpenTrust CMS Mobile 2.0

Connect to Wireless, certificate install and setup Citrix Receiver

Module 3 Remote Desktop Gateway Estimated Time: 90 minutes

Proofpoint Threat Response

Accessing the Curriculum Management System Off-campus Process for obtaining and installing a CMS certificate on a home Mac

V1.0 Nonkoliseko Ntshebe October 2015 V1.1 Nonkoliseko Ntshebe March 2018

PEAP under Unified Wireless Networks with ACS 5.1 and Windows 2003 Server

Configuration of Microsoft Live Communications Server for Partitioned Intradomain Federation

Yubico with Centrify for Mac - Deployment Guide

How to Import a Certificate When Using Microsoft Windows OS

Configuring EAP for Wireless Network Connectivity By Victor Zapata

Workspace ONE UEM Integration with OpenTrust CMS Mobile 2. VMware Workspace ONE UEM 1811

Dell AppAssure Core to Core Replication Configuration Guide for Silver Peak Velocity

Setup Guide for AD FS 3.0 on the Apprenda Platform

Module 1 Web Application Proxy (WAP) Estimated Time: 120 minutes

How Do I Manage Active Directory

Setting Up Resources in VMware Identity Manager. VMware Identity Manager 2.8

3.1 Getting Software and Certificates

The Centrify browser extension

Upgrade Guide. Platform Compatibility. SonicWALL Aventail E-Class SRA EX-Series v Secure Remote Access

Setting Up Resources in VMware Identity Manager (On Premises) Modified on 30 AUG 2017 VMware AirWatch 9.1.1

AWS Remote Access VPC Bundle

Exam Identity with Windows Server 2016

Configuration examples for the D-Link NetDefend Firewall series

Best Practices for Security Certificates w/ Connect

NBC-IG Installation Guide. Version 7.2

Minimum requirements for Portal (on-premise version):

Threat Response Auto Pull (TRAP) - Installation Guide

SonicWALL Security Appliances. SonicWALL SSL-VPN 200 Getting Started Guide

Wired Dot1x Version 1.05 Configuration Guide

HOW TO SETUP CFS POLICIES WITH LDAP AND SSO TO RESTRICT INTERNET ACCESS ON CFS 3.0

Upgrade Guide. SonicWALL Aventail E-Class SRA EX-Series v9.0.5

Cloud Secure Integration with ADFS. Deployment Guide

YubiKey Smart Card Deployment Guide

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

Enabling Smart Card Logon for Linux Using Centrify Suite

Sophos Mobile Control Installation guide

Installation and Configuration Guide

IceWarp SSL Certificate Process

Defender Configuring for Use with GrIDsure Tokens

Table of Contents HOL-1757-MBL-6

Release Notes. Dell SonicWALL SRA Release Notes

Partner Information. Integration Overview. Remote Access Integration Architecture

Transcription:

Setting up Certificate Authentication for SonicWall SRA / SMA 100 Series SonicWall SRA and SMA devices now have the option to authenticate using Client User Certificates. This is a guide on how to implement this using a Domain CA Certificate along with User Certificates. This guide is based SMA Firmware 8.6.0.3-11sv and Microsoft Server 2008 R2. It is presumed that you have already set up an Authentication Domain using Active Directory for your Domain on the SRA/SMA Appliance as this will be needed for the Group Affinity Checking. There are two different options when setting up a SSL VPN domain requiring client certificates: 1. A standalone SSL-VPN domain which only uses Client Certificates (if using this method it is recommended to maybe restrict the expiry on the certificates or at least use a specific OU for Mobile users on the Group Policy rather than Issuing User Certificates to all the Domain Users). 2. On a new or already configured SSL-VPN Domain you can use the Enable Client Certificate Check enabled to provide further security. Setting Up the SRA/SMA Setting up User Certificates on the Domain Controller Setting up the Group Policy Exporting and Importing the User Certificate Connecting to the SSL VPN Portal and NetExtender / Mobile Connect 1 Copyright 2018 NetThreat Ltd

Setting up the SRA / SMA If you have not already set up User Certificates on your domain then go to the Section Setting up User Certificates on the Domain Controller. 1. In the SMA GUI, go to System/Certificates and import your domain CA certificate in the Additional CA Certificates section at the bottom. 2. Navigate to Portals/Domains and select Add Domain. 2 Copyright 2018 NetThreat Ltd

3. Select Authentication Type as Digital Certificate. Set the rest as below and add your Domain CA Certificate to the Trusted CA certificates. 4. To enable client certificate enforcement on an already configured SSL-VPN Domain, set as below adding any partial DN required. 3 Copyright 2018 NetThreat Ltd

Setting up User Certificates on the Domain Controller N.B. Auto Enrol is only supported on the following Windows Server operating systems: Server 2003 Enterprise, Server 2008 Enterprise, Server 2008 R2 and later on at least Standard version. Make sure you have the Active Directory Certificate Services Role Installed. If you want users to request the Certificates Manually then also add the role Certification Authority Web Enrollment - not discussed in detail in this document. Please see here for further support on that feature https://technet.microsoft.com/en-us/library/cc732895(v=ws.11).aspx 1. To start the Certification Authority either type in the run console certsrv.msc or go to Start/Administrative Tools/Certification Authority. 2. Expand the Menu as below, Right Click on the Certificate Templates and select Manage. 4 Copyright 2018 NetThreat Ltd

3. Select the User Template. Right click and Select Duplicate Template. Next, select the option Windows Server 2008 Enterprise and select ok. 4. Give the new Template a relevant name and select the Validity and Renewal Periods as required. 5 Copyright 2018 NetThreat Ltd

5. Under the Security Tab you need to make the following changes to the Domain Users permissions: 6. Important : unless all users that you wish to have a User Certificate deployed, have email address entered in to their account under the general settings menu on AD, you will need to un-tick the Include e-mail name in the subject name under the Subject Name menu. 7. Once the new Template has been saved, you can now select it to be used to issue User Certificates. To do this, right click on the Certificates Templates and select New/Certificate Template to Use. 6 Copyright 2018 NetThreat Ltd

8. Select your new Template from the list and select ok then exit the console. Setting up the Group Policy 1. To start the Group Policy Manager Console either type in the run console gpmc.msc or go to Start/Administrative Tool/Group Policy Management. 2. Expand the Domains, then right click and select Create a GPO in this domain as below. If you only want to auto enrol User Certificates for a specific AD group then you will need to create a New Organizational Unit and make sure the Users are moved to that OU in Active Directory. 7 Copyright 2018 NetThreat Ltd

3. Name the GPO as below. 4. Once created, right click and select Edit, then browse to User Configuration/Windows Settings/Security Settings/Public Key Policies 8 Copyright 2018 NetThreat Ltd

5. On the Certificate Services Client Certificate Enrollment Policy right click and select Properties, and set to Enabled then apply and ok. 6. Now do the same for Certificate Services Client Auto- Enrollment and set as below: 7. Once configured apply and exit the Group Policy Management console, 8. To push the policy out to the Domain Users, run the gpupdate /force command from the command prompt. They will then be issued their User Certificate next time they log on to the Domain. 9 Copyright 2018 NetThreat Ltd

Exporting and Importing the User Certificate 1. To Export the User Certificate go to MMC and add the snap-in for Certificates and select ok. 2. Browse to Personal and right click on your Certificate and choose export. 10 Copyright 2018 NetThreat Ltd

3. Choose Yes export the Private Key: 4. Select the Include all Certificates in the certification path and Export all extended properties. 11 Copyright 2018 NetThreat Ltd

5. Give the Certificate a password and then save to a relevant folder. 6. To Import the Certificate, this may be different depending on the browser used. For I.E and Chrome you can right click the certificate and select Install PFX and go through the wizard. 7. For Firefox go to Options /Privacy and security/view Certificates and select the Your Certificates tab and Import. 12 Copyright 2018 NetThreat Ltd

Connecting to the SSL VPN Portal and NetExtender / Mobile Connect 1. Browse to the SSL VPN Portal from your browser. Select the domain created earlier and select Login. 2. You will now be prompted to the select the Users Certificate, choose the Certificate and ok. 13 Copyright 2018 NetThreat Ltd

3. You will now be successfully logged in to the SSL VPN Portal as below. 4. Using NetExtender or Mobile Connect, enter your Public IP address or FQDN in to the Server entry. Add your username and the Domain (this is case sensitive). There is no need to enter anything in the password details (unless using with another Domain that has Enable Client Certificate Check enabled). 14 Copyright 2018 NetThreat Ltd

5. You will be prompted for the Certificate to use, select and click ok. 6. You will now be connected to NetExtender. 15 Copyright 2018 NetThreat Ltd

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback