An ASA should he a CA Cert?

Hey all,.

Recently, I produced a CSR and obtained a cert identify for our VPN connection. I got a CA cert that comes with it also. Is this really need and if yes, can you explain why?

Thank you

The certification authority is used by the ASA to show and to trust the chain of emission to the root CA.

It must be installed on the ASA but is not related to interfaces.

Tags: Cisco Security

Similar Questions

  • CSCtq62715 - ASA should not allow EtherChannel configuration on 4 module SSM port - 1

    Hello

    Everyone knows about the opposite problem, etherchannel works fine on 4 GE SSM in module 1 of ASA5550 executes code 8.4, but is no longer works when upgrading to version 9.1?

    Options of configuration using 8.4 (4):

    ASAconfig) # int g1/0

    ASA(Config-if) #?

    The interface configuration commands:

    subcommands authentication authentication

    configuration of Etherchannel/port channel-group group

    DDNS Setup dynamic DNS

    Options of configuration using the 9.1 version 2:

    ASA(Config-if) # int g1/0

    ASA (config-if) #?

    The interface configuration commands:

    subcommands authentication authentication

    DDNS Setup dynamic DNS

    Thank you

    Gillian

    Hi Gillian,

    What you describe is what this bug was introduced in the address.  8.4, the CLI enabled one is used to configure an etherchannel on the GigE ports 4 module.  9.0/9.1 removed this feature in the CLI that the feature is not supported on the module.  Bug CSCtq62715 is the bug used to make this change.

    Sincerely,

    David.

  • the ASA 5505 configuration

    Hey guys

    I have a server that accepts traffic on a port within my network and external clients need to access this server. the nat and accesslist works well, but it is a matter of wait time and connection failed... Note that without the client server asa directly works fine... and note also that the traffic is encrypted (ssl)... are there additional provisions that I have to configure? y is it expire? Packet Capture see traffic from the outside to reach inside the interface but no response from the inside to the outside...

    I don't have that only one access list reloads the traffic from the outside to the server and a nat rule.

    advice needed...

    Thank you

    Hello

    So from what I understand

    "inside the xxx.114 interface the default route on the server is xxx.1 which is one interface on another asa.

    This means that the default route on the server is an another ASA. It won't work unless you apply TCP statebypass.

    ASA is a statefull firewall. This means for the TCP IP, always see two way traffic. If SYN crosses an ASA should see SYN/ACK back. If an ASA did not syn and sees syn/ack due to asymmetric routing, is wrong in the wok.

    Change the default route in the same ASA server or configure TCP statebypass (which is not recommended however).

    Thank you

  • Withdrawal of licence assessment of ASA

    Hello

    We install a trial license on our ASA 8.4 version for premium Anyconnect and Adv Endpoint protection.

    We already have the license keys. But the evaluation period is only 28 days and after that, the license will not be valid.

    How to return to the previous level of license after the eval license period is over?

    Help, please.

    Kind regards

    Anand

    SH version

    Cisco Adaptive Security Appliance Software Version 7.0000 23
    Version 7.3 Device Manager (3)

    Update on Tue, 09-Oct-14 15:45 by manufacturers
    System image file is "disk0: / asa847-23 - k8.bin.
    The configuration file to the startup was "startup-config '.

    ASA in 73 days, 2 hours ago

    Material: ASA5510-K8, 1024 MB RAM, Pentium 4 Celeron 1600 MHz processor
    Internal ATA Compact Flash, 256 MB
    BIOS Flash M50FW080 @ 0xfff00000, 1024 KB

    Hardware encryption device: edge Cisco ASA - 55 x 0 Accelerator (revision 0 x 0)
    Start firmware: CN1000-MC-BOOT - 2.00
    SSL/IKE firmware: CNLite-MC-Smls-PLUS - 2.03
    Microcode IPSec:-CNlite-MC-IPSECm-HAND - 2.06
    Number of Accelerators: 1

    0: Ext: Ethernet0/0: the address is 001b.2a34.b77a, irq 9
    1: Ext: Ethernet0/1: the address is 001b.2a34.b77b, irq 9
    2: Ext: Ethernet0/2: the address is 001b.2a34.b77c, irq 9
    3: Ext: Ethernet0/3: the address is 001b.2a34.b77d, irq 9
    4: Ext: Management0/0: the address is 001b.2a34.b779, irq 11
    5: Int: not used: irq 11
    6: Int: not used: irq 5

    The devices allowed for this platform:
    The maximum physical Interfaces: unlimited perpetual
    VLAN maximum: 100 perpetual
    Guests of the Interior: perpetual unlimited
    Failover: Active/active perpetual
    VPN - A: enabled perpetual
    VPN-3DES-AES: activated perpetual
    Security contexts: 2 perpetual
    GTP/GPRS: Disabled perpetual
    AnyConnect Premium peers: 2 perpetual
    AnyConnect Essentials: Disabled perpetual
    Counterparts in other VPNS: 250 perpetual
    Total VPN counterparts: 250 perpetual
    Shared license: disabled perpetual
    AnyConnect for Mobile: disabled perpetual
    AnyConnect Cisco VPN phone: disabled perpetual
    Assessment of Advanced endpoint: disabled perpetual
    Proxy UC phone sessions: 2 perpetual
    Proxy total UC sessions: 2 perpetual
    Botnet traffic filter: disabled perpetual
    Intercompany Media Engine: Disabled perpetual

    This platform includes an ASA 5510 Security Plus license.

    Serial number: JMX1116L1BK
    Activation key permanent running: 0 x 62037353 0x3425458a 0xccf1d564 0xae340060 0x0d1007a4

    Anand,

    You can simply enter «disable activation key» Reference.

    In addition, you can leave it just coming out and it will not be available after evaluation of timer period is exhausted.

    In both cases, he ASA should return to the level of initial permanent license.

    Reference.

  • 9.1 ASA + ACS 5.4 SSL Web portal bookmarks according to the ad group.

    Hello.

    Having some problems with ssl vpn on ASA 5515-X.

    I have ASA (9.1) connected to the web portal without client ssl ACS (5.4) and set up mobile client anyconnect. ACS also have connection to Active Directory.

    So he has set up this group AD users, for example, the VPN_clients connect via the anyconnect client or no client via SSL web page. And it works very well.

    My goal is to make different bookmarks portals SSL (in terms of strategies of different group ASA) according to the users AD Group.

    For example: I have 3 groups in AD: VPN_admin, VPN_Finance, VPN_Logistic. I want that the users in the group after authentication to SSL web portal would see only their own bookmarks available only for their group.

    As I inderstand once ACS authentication process must respond to ASA which the user consist of ad groups and ASA should choose the group policy right for the user, but I have no experience how to do that?

    Hello Ivan,.

    You're right, ACS can leave the ASA what group policy is to assign based on the RADIUS of the 25 attribute.

    Measures on the ACS:

    1 - definition of ad groups:

    2 set the authorization profile tab elements of the policy:

    3. create the policy and authorization access criteria:

    Then, on the ASA:

    1 create a group policy and name it.

    2. through the ASDM, create and assign bookmarks to this group policy.

    3 - once a user authenticates, the ACS sends 25 attribute, which contains the string 'OU = it'.

    4 - ASA seeks group it strategy and assigns it to the user's session.

    Let me know if you have any questions.

    HTH.

    Please note all useful messages.

  • 8.4 ASA using NAT VPN issue.

    Hello

    I'm working on a customer site and they have a problem with one of their VPN (we have other works well), but it is a major issue and I think it's because we use manual NAT and NAT of the object on the same server for different things.

    Traffic between indoors and outdoors:

    It works with a specific manual NAT rule of source from the server 10.10.10.10 object

    Inside

    SRC-> DST

    10.10.10.10-> 1.1.2.10 1.1.1.10-> 1.1.2.10 SNAT = VPN =-> 1.1.2.10 1.1.1.10 1.1.1.10-> 1.1.2.10 <3rd party="" fw="">

    It works with a specific using the NAT on the server of 10.10.10.10 object

    Remote

    SRC-> DST

    1.1.1.10-> 1.1.2.10 1.1.1.10-> 1.1.2.10 <3rd party="" fw="">= VPN =-> 1.1.2.10 1.1.1.10 1.1.1.10-> DNAT 10.10.10.10

    If we have the manual NAT and NAT object it does anyway.

    So the question is (as I am new to zip code 8.3 ASA) should not mix the 2 types of NAt and look at configuring it all with manual NAT or NAT object?

    With the NAT object out it does not work as it is taken in ouside NAT inside all:

    Dynamic NAT (inside, outside) source no matter what interface (this NAT to 1.1.1.1 then does not match the card encryption for VPN)

    and I tried a no - nat above that, but that does not work either.

    Straws and hugging come to mind try to configure a different config. Any pointers in the right direction would be great.

    Kind regards

    Z

    Hello

    I'm not sure that installing even with the explanation. Each NAT configuration I did for VPN used Section 1 Manual / NAT twice.

    You have configured the rule by default PAT that you use as Section 1 NAT rule. NAT rules in the new software are divided into 3 sections

    • Section 1: Manual / twice by NAT
    • Section 2: Purpose NAT
    • Section 3: Manual / double NAT (moved to section 3 using the setting "auto after")
    • The Sections are passed by from 1 to 2 and 3 in order to find a match.

    You should also notice that the Section 1 and Section 3 NAT has "line number" similar to the ACL parameter type. So if you have a default existing PAT rule configured for Section 1 and just add another Section 1 NAT rule without line/order number (VPN NAT) then it will just fall under the existing rule, making the new useless rule.

    I would advice against the use of the rule by default PAT as Section 1 NAT rule. Finally, this means that you be constantly watch and edit its configuration when you try to configure more specific rules.

    As a general rule 3 of the Section the PAT above default configuration would be the following

    NAT (inside, outside) after the automatic termination of dynamic source no matter what interface

    This would mean that you need to remove the old. That would mean as naturally as the change would temporarily dismantling all the current connections through "inside", "Outside" while you change the NAT rule format.

    If after this configure a NAT twice to the VPN (wihtout the setting "auto after"), it will be the rule in article 1 while the default PAT will be Section 3. Of course, Section 1 will be matched first.

    I'm not quite sure of what your setup of the foregoing have understood.

    You're just source NAT?

    I guess that the configuration you do is something like this?

    network of the LAN-REAL object

    10.10.10.0 subnet 255.255.255.0

    purpose of the MAPPED in LAN network

    1.1.1.0 subnet 255.255.255.0

    being REMOTE-LAN network

    1.1.2.0 subnet 255.255.255.0

    NAT static destination of LAN LAN-REAL-MAPPED Shared source (indoor, outdoor) REMOTE - LAN LAN

    If the network 1.1.1.0/24 is supposed to be one that is connected directly to your "external" to the format interface may need to be anything else.

    -Jouni

  • Algorithms of different SSL encryption between 5525 x and x 5555?

    Good afternoon

    I have an ASA 5525 x and an ASA 5555 x.  Both of them run 9.4 (2.6).

    5525 x supports all the new encryptions that are discussed in the notes.

    lab-asa5525x# sh ssl ciphersCurrent cipher configuration:default (fips): ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES256-SHA256 AES256-SHA256 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256 AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA256 AES128-SHA256 DHE-RSA-AES256-SHA AES256-SHA DHE-RSA-AES128-SHA AES128-SHAtlsv1 (fips): DHE-RSA-AES256-SHA AES256-SHA DHE-RSA-AES128-SHA AES128-SHAtlsv1.1 (fips): DHE-RSA-AES256-SHA AES256-SHA DHE-RSA-AES128-SHA AES128-SHAtlsv1.2 (custom): ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256dtlsv1 (fips): DHE-RSA-AES256-SHA AES256-SHA DHE-RSA-AES128-SHA AES128-SHAlab-asa5525x# lab-asa5525x# sh runn all sslssl server-version tlsv1.2ssl client-version tlsv1.2ssl cipher default fipsssl cipher tlsv1 fipsssl cipher tlsv1.1 fipsssl cipher tlsv1.2 custom "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256"ssl cipher dtlsv1 fipsssl dh-group group24ssl ecdh-group group20ssl trust-point 2016-03.lab-asa Outsidessl certificate-authentication fca-timeout 2lab-asa5525x#
    5555 x does not support encryption of elliptical curve which are discussed in the notes.
    ASA5555x-01# sh ssl ciphersCurrent cipher configuration:default (medium): DHE-RSA-AES256-SHA256 AES256-SHA256 DHE-RSA-AES128-SHA256 AES128-SHA256 DHE-RSA-AES256-SHA AES256-SHA DHE-RSA-AES128-SHA AES128-SHA DES-CBC3-SHAtlsv1 (medium): DHE-RSA-AES256-SHA AES256-SHA DHE-RSA-AES128-SHA AES128-SHA DES-CBC3-SHAtlsv1.1 (medium): DHE-RSA-AES256-SHA AES256-SHA DHE-RSA-AES128-SHA AES128-SHA DES-CBC3-SHAtlsv1.2 (medium): DHE-RSA-AES256-SHA256 AES256-SHA256 DHE-RSA-AES128-SHA256 AES128-SHA256 DHE-RSA-AES256-SHA AES256-SHA DHE-RSA-AES128-SHA AES128-SHA DES-CBC3-SHAdtlsv1 (medium): DHE-RSA-AES256-SHA AES256-SHA DHE-RSA-AES128-SHA AES128-SHA DES-CBC3-SHAASA5555x-01# ASA5555x-01# sh runn all sslssl server-version tlsv1.2ssl client-version tlsv1.2ssl cipher default mediumssl cipher tlsv1 mediumssl cipher tlsv1.1 mediumssl cipher tlsv1.2 mediumssl cipher dtlsv1 mediumssl dh-group group2ssl ecdh-group group19ssl trust-point 2016-03.ssl-vpn Outside_85ssl certificate-authentication fca-timeout 2ASA5555x-01#
    I opened a case of TAC and 5585 9.4 (2.6) also running of the TAC engineer does not support encryption EC? Can someone help me understand what Miss me? X - platforms ASA should support the same features, right? Thank you Tim

    Hello

    Disable the Anyconnect essentials from the setting global webvpn, toured here.

    CLI:

    WebVPN

    No anyconnect essentials

    Thank you

  • Does anyone know if the version of Cisco Clean Access Server supports the 4.1 (8) SHA - 256 signed SSL certificates?

    Yes, I know they are very old servers and technically, we should move away from CASES in total. But unfortunately, it's an environment I inherited, and I am now dealing with issues.  Because of the requirement to move away from sha - 1 signed certificates that I need to replace my existing certs, certs signature sha-256.  But before I do that I would like to know if anyone knows if CASE version 4.1 (8) supports SHA - 256 certificates?  I did check the release notes, but there is no mention of the supported versions of SHA, etc..  I tried TACS but no joy there either, etc..

    Hello Rafael,.

    SHA - 2 signed the certificate of support was added in 4.7.2 for SCS and CAM.

    We have filed a default document to have it documented in the release notes.
    CSCud99946    Note of support for the NAC should say we support certs of SHA - 2

    Kind regards

    Jousset

  • IPS module does not

    Hi, I'm currently running active / standby and my sometimes (twice a year) IPS module goes on which triggering a failover. The current status is:

    This host: secondary: enabled

    Another host: primary - failed

    and on the primary host-: slot 1: ASA-SSM-10 rev hw/sw (status 1.0/6.1(1)E3) (does not/high)

    I know that I have to go in the module and hw-module module reset. But I opened a file and got a replacement Module ID. Do I need to power down my ASA primary, it is in mode of failover in any case... If I turn off, it would result in any question of production since I am currently on secondary. Also, I read that the module will not keep or config between synchronization devices. How can I access the configuration of the IPS module so that I can put it in the new module?

    Thanks for the reply.

    FYI, these issues must be addressed with the CSE assigned to your request for Service of TAC where RAM was arranged. I'll take a shot at answering them, but when you use a query from Active Service of the TAC, you must act together with the CSE assigned to issues related to the issue.

    Do I need to power down my primary ASA

    Yes, sensor AIP - SSM modules are not able to SEE (Insertion/withdrawal online). ASA in which the sensor module is replaced must be powered down before removing the faulty sensor module and before installing the replacement.

    if I do power down, would it cause any issue to production since I am on secondary right now.

    If the other Member of the ASA of the failover pair is currently active and its sensor module is in Place, then power the unit standby off ASA should not affect traffic.

    I have read that the module won't retain or synch config between devices. how do i access the configuration of the IPS module so that I can put it into the new module?

    Correct, the sensor modules do inheritly not synchronize or replicate their configuration (such as units of the ASA of the failover pair). If you are able to access the defective sensor module long enough to get a copy of the "show config" command, you can integrate this same output in the replacement sensor module.

    Finally, note that the Unresponsive State can be caused by hardware problems. IPS 1.0000 E3 (which is what you seem to be running) is very old and is more directly supported. You need to upgrade to a modern version, supported (E4 7.0 (6) or 6.2 (4) E4), which contain a lot of bugs, which some correct problems that might otherwise cause the module become Unresponsive.

  • Help Pat!

    Hi all

    My apologies if this is a newbie question...

    We have a range of IP addresses on a local network that must be NAT'd on a PIX of the 506th (Version 6.3 (3)) for Internet access. The problem is that most users will be that a single IP address in order to use our WebSense server, but two IP NAT should be THAT NAT would have to another IP address to bypass WebSense.

    That's what we have in place:

    Global 1 165.x.x.41 (outside)

    Global 165.x.x.43 2 (outdoor)

    NAT (inside) 1 access list inout-nat 0 0

    NAT (inside) to bypass websense access-list 2 0 0

    inout-nat access-list deny udp any how any eq 1398

    inout-nat access-list deny udp any eq which 1398 everything

    inout-nat access-list deny udp any any eq snmp

    inout-nat access-list deny udp any any eq snmptrap

    inout-nat tcp access-list deny any any eq 135

    inout-nat tcp access-list deny any any eq 445

    inout-nat access-list deny udp any any eq netbios-ns

    refuse the access-list inout-nat ip host 10.x.x.200 all

    refuse the access-list inout-nat ip host 10.x.x.201 all

    Allow Access-list inout-nat ip 10.x.x.0 255.255.254.0 one

    deny access list inout-nat ip any any newspaper

    allow websense-circumvention of host 10.x.x.200 an ip access list

    allow websense-circumvention of host 10.x.x.201 an ip access list

    The problem is, everything becomes NAT had for the first IP (165.x.x.41) including the two IP addresses in access to bypass websense list, even if they are denied in the inout-nat access list. We even exchanged around the two statements of PAT and after that everything was NAT had WebSense Bypass NAT!

    Is there something inherent that you miss here or is this a bug?

    Your help is greatly appreciated!

    Thank you.

    Looking through the documentation, it states that:

    5 nat (NAT regular) for the better. The NAT order does not matter. The nat statement that best matches the local traffic is used. For example, you can create a general instruction to translate addresses (0.0.0.0) on an interface. If you also create a statement to translate only 10.1.1.1, when 10.1.1.1 establishes a connection, specific instruction for 10.1.1.1 is used because it suited to local traffic.

    So inspired I guess you don't need the declarations of refusal for your two hosts in your list of access nat1 and ASA should see the rule set out in the declaration of nat2 because it contains a better match.

    Have you tried to delete:

    refuse the access-list inout-nat ip host 10.x.x.200 all

    refuse the access-list inout-nat ip host 10.x.x.201 all

    Rgds

    Paddy

  • Local database username and password SSH works not

    I have a weird problem. I recently install an ASA 5510 and SSH work. To make it easier on my VPN users I decided that I wanted to implement a policy Windows 2008 network for the RADIUS authentication server. Since I added the part of RAY to the aaa authentication, when I use SSH to connect to the ASA, should not be the local user name and the password I installed. However, I can get by using a domain user name and password. This is the SSH and AAA configuration. Am I missing something here? The user name and password in the ASA is not on the domain and it is as if the ASA does not even LOCAL when attempting to authenticate. I want to use the local user name and password if possible. I'm kind new to ASA...

    On another note, I have never been able to SSH in on internal interface. I always get an error message "the remote system refused the connection. I can only use the external interface.

    Site - ASA # sh run | in ssh

    authentication AAA ssh console LOCAL SERVER_RADIUS

    SSH 0.0.0.0 0.0.0.0 outdoors

    SSH 0.0.0.0 0.0.0.0 inside

    SSH timeout 60

    SSH version 2

    Site - ASA # sh run | in aaa

    RADIUS protocol AAA-server SERVER_RADIUS

    AAA-server SERVER_RADIUS (inside) host 10.0.0.6

    authentication AAA ssh console LOCAL SERVER_RADIUS

    Console HTTP authentication of the AAA SERVER_RADIUS LOCAL

    Site - ASA #.

    If there is no other config that would help I would be more than happy to show them

    Thank you!

    Hello

    Try as

    authentication AAA ssh console LOCAL SERVER_RADIUS

    because if the RADIUS is available the device does not check local users.

  • ASA5510-SEC-BUN-K9 bundle

    Hello. I have a question about ASA 5510 SEC-BUN-K9 bundle that our company has ordered a K9 bundle, but when I enter the command show version on the ASA, I see that the system image file is named asa706 - k8.bin.

    Is this normal or were there a mix to the top as on the box it says it's a bundle of K9.

    Igor

    It is not a mixup or a problem. It is normal that the name of the image to say k8 when ASA is described as a beam of K9. The names are incompatible, but the ASA should work as you expect it.

    HTH

    Rick

  • Allow only smartphones via anyconnect

    Is this possible? The goal is to allow only smartphones/tablets; No full blown laptop os'.

    If you have the anyconnect essentials and the mobile anyconnect license would it as simple as ordering "no anyconnect essentials". According to the docs this only disables anyconnect essentials, but leaves the license intact. I hope that this would mean that the anyconnect for mobile would continue to operate. Or maybe there's another way to do this?

    Unfortunately I do not have the freedom to test and cannot find it in the documentation.

    ~ Thank you

    "no anyconnect essentials" disables this feature of license for the AnyConnect Premium license.

    AnyConnect for Mobile requires one or the other license to operate.

    To apply a restriction of device type, you would normally use Dynamic Access Policy (with AnyConnect Premium) and the Cisco Secure Desktop feature. However, CSD is only supported on Windows / OS X / Linux. (Example)

    Another way, you could do it would be with the device certificates. Check endpoints for the presence of a certificate (which you would need to deploy) and only allow valid wallet certificate devices to be authenticated. That's how it is (among other things) with Cisco ISE. ISE relieves the pain somewhat by deploying the certificate under the device / user integration. Do it with only ASA, should allows you to use a deployment of certificate 3rd party (or possibly PEIE, but I don't think that you could argue the mobile device in the CEP inscription).

  • Advantages of using both certificates &amp; user-auth?

    Is it true that if both certificates & name of user and password are required, the supplicant AnyConnect is necessary to support?

    If we use the certs, don't already identify us the individual user, so what are the benefits to also require username/password top name?

    If certificates are used, the auth entries in just ISE appear w / the names of cert? If this is the case, should I use a cert naming convention is easy to identify who is the user?
    If the name of user and password is used in addition to the certs, would we be able to see the username in the newspapers of the ISE, w/o using a good naming convention?

    TIA

    When you certificate based authentication (EAP - TLS or PEAP-EAP-TLS), and then during the authentication step, ISE only confirms the validity of the certificate. During the authorization stage, ISE can check with AD and confirm that the identity associated with this certificate is valid and not disabilities.

    Now, if you want to perform computer and user authentication, then you need to use AnyConnect and run what is called EAP (EAP-GETE) chaining. Now, remember that this solution only works for Windows-based computers.

    http://www.Cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.PDF

    I hope this helps!

    Thank you for evaluating useful messages!

  • Certificate/Protocol 4172 PCoIP gateway port problems

    Just received my quarterly security scans back, and while I thought I had my security server set up correctly, apparently I still have problems with the port of PCoIP/cert.

    The analyses show the PCoIP gateway on 4172 answering the SSLv3 and by not providing a valid certificate. I have double and triple checked the registry settings and files locked.properties to be sure I'm not serving SSLv3 and present a valid certificate, and all these settings seem to be correct. Check the ports 443 or 8443 shows the protocols/cert are working properly, but the same analysis on 4172 shows that he respond to SSLV3 and issue a certificate of PCoIP self-signed (default).

    Looks like my locked.properties file in C:\Program VMware View\Server\sslgateway\conf:


    secureProtocols.1 = TLSv1.2

    secureProtocols.2 = TLSv1.1

    secureProtocols.3 = TLSv1

    preferredSecureProtocol = TLSv1.2

    enabledCipherSuite.1 = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

    TLS_DHE_DSS_WITH_AES_128_CBC_SHA = enabledCipherSuite.2

    enabledCipherSuite.3 = TLS_RSA_WITH_AES_128_CBC_SHA

    enabledCipherSuite.4 = TLS_RSA_WITH_AES_256_CBC_SHA

    enabledCipherSuite.5 = TLS_DHE_DSS_WITH_AES_256_CBC_SHA

    enabledCipherSuite.6 = SSL_RSA_WITH_RC4_128_MD5

    enabledCipherSuite.7 = SSL_RSA_WITH_RC4_128_SHA

    enabledCipherSuite.8 = SSL_RSA_WITH_3DES_EDE_CBC_SHA

    enabledCipherSuite.9 = SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA

    And here are registry settings that PCoIP gateway should use for the cert (SSLCertPSGNI the key is correctly set to the public fqdn of the Security Server):

    The friendly name on the cert in the Windows certificate store is vdm, and there is a private key associated with the cert. As I said, it's only to default on 4172-443 and 8443 work as expected. No idea where to start looking for why the PCoIP gateway isn't follow these settings on 4172?

    Thank you

    Geoff

    Just got the phone with support. TL; DR version: it works.

    More explanation in the case where you need please Commissioners to the accounts:

    Apparently most of the scanning (in this case, Qualys) services fail to do one very important thing when they probe port 4172, and who has send a SNI. Without this crucial little of info Security Server will return the cert (self-signed) by default, not the one you want. To see this in action, openssl is your friend:

    c:\OpenSSL-Win32\bin>OpenSSL s_client-connect "vcs.XXXXXXX.com:4172" - showcerts

    Loading 'screen' into random State - done

    CONNECTED (000001CC)

    depth = 1 O = PCoIP Root, CN = PCoIP Root CA

    Verify error: num = 19:self certificate of certificate chain

    Verify return: 0

    ---

    Certificate chain

    0 s/O = PCoIP Device/CN=1.1.1.1

    i: / O = PCoIP root/CN = PCoIP Root CA

    ...

    Now try the same connection by sending a SNI (servername argument)-:

    c:\OpenSSL-Win32\bin>OpenSSL s_client - servername vcs. XXXXXXXX.com - connect "vcs.XXXXXXX.com:4172" - showcerts

    Loading 'screen' into random State - done

    CONNECTED (000001CC)

    ...

    Certificate chain

    s:/0C = US / ST = Texas/L = Houston/O = XXXXXXXX/CN = *. XXXXXXX.com

    i: / C = US / O = DigiCert Inc./CN = DigiCert SHA2 Secure Server CA

    The PCoIP Gateway sends the cert right when you connect with the customer to view or with a browser, but if another program (such as openssl) connects without sending a NIS, you will get the default cert (or nothing at all if disable CERT legacy with the key "reg").

    Hope this helps for others who have to explain why 4172 appears vulnerable according to audit reports.

    Geoff

Maybe you are looking for