WatchGuard Technologies SSL VPN Water Heater User Manual


 
Administration Guide 115
Client Certificates
Installing Root Certificates
Support for most trusted root authorities is already built into the Windows operating system and Inter-
net Explorer. Therefore, there is no need to obtain and install root certificates on the client device if you
are using these CAs. However, if you decide to use a different CA, you need to obtain and install the root
certificates yourself.
Obtaining a Root Certificate from a CertificateAuthority
Root certificates are available from the same Certificate Authorities (CAs) that issue server certificates.
Well-known or trusted CAs include Verisign, Baltimore, Entrust, and their respective affiliates.
Certificate authorities tend to assume that you already have the appropriate root certificates (most Web
browsers have root certificates built-in). However, if you are using certificates from a CA that is not
already included on the client computer, you need to specifically request the root certificate.
Several types of root certificates are available. For example, VeriSign has approximately 12 root certifi-
cates that they use for different purposes, so it is important to ensure that you obtain the correct root
certificate from the CA.
Installing Root Certificates on a Client Device
Root certificates are installed using the Microsoft Management Console (MMC) in Windows. When
installing a root certificate to the MMC, use the Certificate Import wizard. The certificate is installed in
the Trusted Root Certification Authorities store for the local computer.
For information about root certificate availability and installation on platforms other than 32-bit Win-
dows, refer to product documentation appropriate for the operating system you are using.
Selecting an Encryption Type for Client Connections
All communications between the Secure Access Client and the Firebox SSL VPN Gateway are encrypted
with SSL. The SSL protocol allows two computers to negotiate encryption ciphers to accomplish the
symmetric encryption of data over a secure connection.
You can select the specific cipher that the Firebox SSL VPN Gateway uses for the symmetric data encryp-
tion on an SSL connection. Selecting a strong cipher reduces the possibility of malicious attack. The
security policies of your organization may also require you to select a specific symmetric encryption
cipher for secure connections.
You can select RC4, 3DES, or AES encryption ciphers for SSL connections. The default setting is RC4 128-
bit. The MD5 or SHA hash algorithm is negotiated between the client and the server.
The Firebox SSL VPN Gateway uses RSA for public key encryption in a secure connection. The encryption
ciphers and hash algorithms that you can select for symmetric encryption are listed below:
RC4 128-bit, MD5/SHA
3DES, SHA
AES 128/256-bit, SHA
To select an encryption type for client connections
1Click the Global Cluster Policies tab.
2Under Select security options, in Select encryption type for client connections, select the bulk
encryption cipher you want to use for secure connections.