For authenticating by way of certificates, the Firebox must be configured as a DVCP server, which automatically activates the CA on the Firebox. Each DVCP client authenticates to the DVCP server. The CA determines that the client is legitimate and then returns a certificate to the client.
The CA can be configured in several ways. A common structure, shown in the following figure, includes a Firebox as a DVCP server that is managing a DVCP client. The DVCP server can also manage a number of DVCP clients known as a DVCP cluster. The CA component of the DVCP server is active regardless of whether either Firebox authenticates through certificates. The authentication method is determined by settings in the DVCP clients. In the example below, one DVCP client authenticates using certificates. When the client contacts the server, the CA downloads a certificate to the Firebox using DVCP.
The following figure shows a Firebox that is not part of a DVCP cluster. Instead, the Firebox functions as a CA for MUVPN users. In this example, one MUVPN user is authenticating through certificates and the other by shared key. Because MUVPN clients are not DVCP clients, they authenticate to the Firebox, and Firebox Manager System creates a request for a certificate. After the CA issues the certificate, Firebox Manager System packages the certificate for transport to the MUVPN client.
The Firebox administrator provides each MUVPN user with a collection of settings called an MUVPN end-user profile. Users who are authenticating with shared keys receive one file, .wgx. Users authenticating with certificates receive a .wgx file along with two other files: cacert.pem, which contains the root certificate; and .p12, the client certificate. When the MUVPN user authenticating by way of certificates opens the .wgx file, the root and client certificates contained in the cacert.pem and .p12 files are automatically loaded.
Another configuration, shown in the following figure, involves a DVCP server/CA at a company's main office and a Firebox as a DVCP client at a branch office. The branch office supports mobile users authenticating by way of certificates. This scenario comprises two CAs--a principal CA and a subordinate one.
Related topics:
Defining a Firebox as a DVCP Server and CA
Managing the Certificate Authority
Managing certificates from the CA Manager
Public Key Cryptography and Digital Certificates
Copyright
© 1996 - 2003 WatchGuard Technologies, Inc. All rights reserved.
Legal Notice/Terms of Use