Manuals / WatchGuard Technologies / Household Appliance / Water Heater

WatchGuard Technologies SSL VPN manual Internal Failover, Certificate Signing

Models: SSL VPN

1 198
Download 198 pages 26.5 Kb
Page 156
Image 156
Internal Failover

Troubleshooting

Internal Failover

If internal failover is enabled and the administrator is connected to the Firebox SSL VPN Gateway, the Administration Tool cannot be reached over the connection. To fix this problem, enable IP pooling and then connect to the lowest IP address in the pool range on port 9001. For example, if the IP pool range starts at 10.10.3.50, connect to the Administration Tool using 10.10.3.50:9001. For information about configuring IP pools, see “Enabling IP Pooling” on page 94.

Certificate Signing

There are several server components that support SSL/TLS, such as the Firebox SSL VPN Gateway, Secure Gateway, and SSL Relay. All of these components support server certificates issued either by a public Certificate Authority (CA) or by a private Certificate Authority. Public CAs include organizations such as Verisign and Thawte. Private CAs are implemented by products such as Microsoft Certificate Ser- vices.

Certificates signed by a private CA are sometimes described as enterprise certificates or self-signed certifi- cates. In this context, the term self-signed certificate is not technically accurate; such certificates are signed by the private CA. True self-signed certificates are not signed by any CA and are not supported by the server components, because there is no CA to provide a root of trust. However, as described above, certificates issued by a private CA are supported by the server components because the private CA is the root of trust.

Certificate Revocation Lists

Certificate Revocation Lists (CRLs) cannot be configured by the administrator. When a user connects to the Firebox SSL VPN Gateway using a client certificate, the Firebox SSL VPN Gateway uses the cRLDistri- butionPoints extension in the client certificate, if it is present, to locate relevant CRLs using HTTP. The cli- ent certificate is checked against those CRLs.

Retrieving CRLs using LDAP is not supported.

Network Messages to Non-Existent IPs

If an invalid sdconf.rec file is uploaded to the Firebox SSL VPN Gateway, this might cause the Firebox SSL VPN Gateway to send out messages to non-existent IPs. A network monitor might flag this activity as network spamming.

To correct the problem, upload a valid sdconf.rec file to the Firebox SSL VPN Gateway.

The Firebox SSL VPN Gateway Does not Start and the Serial Console Is Blank

Verify that the following are correctly set up:

The serial console is using the correct port and the physical and logical ports match

The cable is a null-modem cable

The COM settings in your serial communication software are set to 9600 bits per second, 8 data bits, no parity, and 1 stop bit

The Administration Tool Is Inaccessible

If the Firebox SSL VPN Gateway is offline, the Administration Tool is not available. You can use the Administration Portal to perform tasks such as viewing the system log and restarting the Firebox SSL VPN Gateway.

146

Firebox SSL VPN Gateway

Page 155 Page 157
Page 156
Image 156
WatchGuard Technologies SSL VPN manual Internal Failover, Certificate Signing, Certificate Revocation Lists
Page 155 Page 157