Examples of certificate generation by the Microsoft Server Certification Center for the Remote Access VPN scenario.
-
Issue the root certificate (rootCA) using the Certification Center.
-
Issue the VPN server certificate based on the root certificate (rootCA).
-
Specify the requirements: key usage: server auth
-
Minimum key size: 4096
-
Specify subjectAltName which is the same as the DNS name of the VPN server.
-
-
Create the template for issuing user certificates. The UPN user attribute should match the CN and/or SAN:principal name certificate attributes.
Actions on the VPN Server Side
-
Import the root certificate (rootCA) in the NGFW admin console which acts as a VPN server. To do that, go to the UserGate ➜ Certificates section and click Import.
-
Import the VPN server certificate in the NGFW admin console which acts as a VPN server. To do that, go to the UserGate ➜ Certificates section and click Import.
-
Create a user certificate profile in the NGFW admin console which acts as a VPN server. To do that, go to the UserGate ➜ User certificate profiles section and click the Add button. In the opened window specify the name of the profile, add the root certificate which was imported earlier and select the authorization field Commоn-name or Subject alt name to get the username.
-
In the VPN ➜ Server security profiles section open the Remote access VPN profile and add:
-
The certificate to the Server certificate field
-
Select the created User certificate profile
-
For the Authentication mode parameter set the Using PKI certificates value
-
Actions on the VPN Client Side
-
Request the certificate at the client computer in accordance with the previously created user certificate template.
-
Get the certificate and put it in the "Personal" storage at the "Local computer" repository.