From: pankaj ahuja (networksecurityconsultant@gmail.com)
Date: Wed Sep 19 2007 - 16:22:25 ART
Thank you for the responses Guys.
yes this page is displayed by IE on win XP. what I thot is happening here is
:
That the concentrator has a self signed SSL Certificate wherein it has the
private IP (assigned to Public interface in our case) as its CN. When the
user contacts the concentrator on its public natted IP it receives the
certificate which suggests its private IP in the certifcate. And due to this
mismatch it displays the error page.
I changed the IP to the NAtted IP when generating the SSL certificate on the
concentrator. It seems to take it fine and generate a certifcate. however
the users still see the error page.
I agree that a certificate from a public CA would help and will be more
secure. But is that the only way out?
Is it possible to have a self signed Identity Certificate and also a self
signed SSL Certifcate? And use that for this HTTPS session.
Thanks
Pankaj
On 9/19/07, Andy Cole <Andy.Cole@foremostfarms.com> wrote:
>
>
> Buying a public certificate from someone like Verisign, (there are
> others) will fix the 'error'.
>
> Sometimes if the user clicks on view the certificate, installs the
> certificate, the error may go away.
>
> Best practice is to buy a security certificate, you site will be more
> secure.
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> pankaj ahuja
> Sent: Wednesday, September 19, 2007 12:05 PM
> To: ccielab@groupstudy.com; security@groupstudy.com
> Subject: WEBVPN login page Cerrtificate Error
>
> Hello All,
>
> When the users access the webvpn login page via the URL https://A.B.C.D
> , they see an Certificate error page that says
>
> "The security certificate presented by this website was not issued by a
> trusted certificate authority.
> The security certificate presented by this website was issued for a
> different website's address"
>
>
> and then it presents the option to "close the website" or "continue to
> this page". After choosing continue to this page Users finally reach the
> page where they are to login using their Webvpn credentials.
>
> I'm trying to remove the Certificate error page and know that it has got
> something to do with the Certificate on the VPN Concentrator. what I'm
> not sure about is the procedure, i.e.
>
> Do I need an Identity Certificate from a CA first and then I should
> generate a Certifcate on the Concentrator?
>
> Should I not be able to skip the CA part and just have a Certificate
> generated on the VPN Concentrator. I know the users wouldn't be able to
> verify the Certificate but all we're aiming for is to not reach that
> page wherein it says Certificate Error.
>
> To describe the Topology we have :
>
> We have WebVPN on a VPN concentrator 3020 which is configured for Load
> Balancing with a 3015. Also these concentrators are behind 2 different
> Firewalls, the private and public interfaces of these Concentrators have
> a private IP. The public interfaces are Natted on the Firewalls to a
> public IP.
>
> Any suggestion on how to make this possible are welcome.
>
> Thanks
>
> Regards
> Pankaj
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sat Oct 06 2007 - 12:01:13 ART