Few months ago I sucessfully configured CaptivePortal (in redirect mode) with SSL certyficate from StartSSL for one of my local network connected to PA200.
Now I need to do the same for another local network, but on PAN I can only make one CP configuration, with one SSL cert.
I have SSL cert for host cp1.mydomain.com. This dns entry pointing to 192.168.110.1 that is a gateway for network where I have CP.
Until now evertything is clear for me, but when I enable CP to another network (with 192.168.30.1 gateway) its working too - why?
My networks are in separate security zones without policy that could enable traffic beetwen this zones/network.
So I tryed to put cp1.mydomain.com to one of my public IP (not used at the moment) but reachable from PAN. I changed entry in DNS, but its broken CP because users cant get CP webpage because this public IP isnt reachable without authenticate.
My CP looks like:
and Security Policy:
and hear I'm not sure that this configuration is optimal and made according to best practices.
I'd like to block p2p traffic, let DNS and ping and let all authenticated users access to internet.
but I have cert from StartSSL. Where I can find IPs that I need to add to be reachable without CP policy?
I searched this community, read How to Configure Captive Portal.pdf but I cant find information about CP for two networks.
Please help me in such configuration.
yes, I have exactly the same config.
In my opinion cert warning is because web browser cant verify ssl cert issuer. But how (or where) to find list of server that I need to exclude from CP roule - I don't know.
We use a cert issued by a public certificate authority. Certificate revocation checks to local domains could be the issue? If you use a commercial cert then just watch the log traffic for the CRL check and add that as an allowed destination.
I using public certificate too. I'm using free StartSSL certs.
I tryed to find such informations from logs but I havnt such connections in log from this particular zone to Untrust zone.
I catched interesting screen shoot:
As you can see, IE is trying to connect to 192.168.110.1 - this is because cp1.mydomain.com is pointing to it. This computer has 192.168.3.38 IP at the moment, and is UNABLE to communicate to 192.168.110.1 (for security reason, 192.168.3.x must only have access to untrust or 192.168.3.1 because it's a getaway from PAN).
I know that one way is to have root cert in local Cert store, but he second way is to give to browser information abaout intermidiate cert StartSSL™ Certificates & Public Key Infrastructure
Also IE uses windows cert store, but FF uses their own store so I prefer to make universal solution ("glue" cert with intermidiate cert).
I havent ability to put root cert into personal computer of my students.
On Windows IE6 complaining about ability to verify root cer, on the same computer FF 20.1 doesnt. Latest (but maybe not the last) FF on Linux complaining too.
The same complaining is from 192.168.3.x as from 192.168.110.x network
Since I can't read the warning message you posted (I only read english - sorry) there are only three possible causes:
Wrong cert being used
Private cert - not being able to validate
Public cert - not being able to validate
Public certs should be able to be validated (may need to select optional updates via windows update to get the root certs on the client. The outher option is to tell them to accept the cert warning.
Sorry if I can't help you more but I think you are on the right path. You can always put a call into support and they can assist.
You where right, problem with this warning is connected to root cert. After updating root cert store with latest package IE doenst show warning message.
Lets back to main question.
- on which one IP I should setup Captive Portal, from which zone? I need to use CP for 3 zones.
- do my security policy are correct?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!