Amer Networks E5Web GUI User Manual

the way they work but the majority will attempt to validate the certificate.

Placement of Private CA Servers

The easiest solution for placement of a private CA server is to have it on the unprotected side of
the Clavister Security Gateway. This however, is not recommended from a security viewpoint. It is
better to place it on the inside (or preferably in the DMZ if available) and to have cOS Core
control access to it.

As explained previously, the address of the private CA server must be resolvable through public
DNS servers for certificate validation requests coming from the public Internet. If the certificate
queries are coming only from the Clavister Security Gateway and the CA server is on the internal
side of the security gateway then the IP address of the internal DNS server must be configured in
cOS Core so that these requests can be resolved.

Turning Off validation

As explained in the troubleshooting section below, identifying problems with CA server access
can be done by turning off the requirement to validate certificates. Attempts to access CA servers
by cOS Core can be disabled with the Disable CRLs option for certificate objects. This means that
checking against the CA server's revocation list will be turned off and access to the server will not
be attempted.

Chapter 9: VPN

648