Certificate validation components – Amer Networks E5Web GUI User Manual

Gateway through the public DNS system.

The same steps should be followed if the other side of the tunnel is another security
gateway instead of being many clients.

3.

The CA server is a commercial server on the public Internet. In this, the simplest case,
public DNS servers will resolve the FQDN. The only requirement is that cOS Core will
need to have at least one public DNS server address configured to resolve the FQDNs in
the certificates it receives.

•

It must be also possible for an HTTP PUT request to pass from the validation request source
(either the Clavister Security Gateway or a client) to the CA server and an HTTP reply to be
received. If the request is going to pass through the Clavister Security Gateway, the
appropriate rules in the cOS Core IP rule set need to be defined to allow this traffic through.

IP rules are not required if it cOS Core itself that is issuing the request to the CA server.
Actions taken by cOS Core are trusted by default. This is a general rule that also applies to
DNS resolution requests issued by cOS Core.

Figure 9.8. Certificate Validation Components

CA Server Access by Clients

In a VPN tunnel with roaming clients connecting to the Clavister Security Gateway, the VPN client
software may need to access the CA server. Not all VPN client software will need this access. In
the Microsoft clients prior to Vista, CA server requests are not sent at all. With Microsoft Vista
validation became the default with the option to disable it. Other non-Microsoft clients differ in

Chapter 9: VPN

647