08-26-2014 01:00 PM
Sorry I am not being clear. This is what I am trying to say.
08-27-2014 06:35 AM
Again its not a web page its global protect used only by employees, maybe 6 at most, to remote into the network to do work. I don't understand how global protect could be spoofed like a web page and our home web site is hosted by a 3rd party. I get the feeling people have been programmed to assume that a self signed cert is bad when really its not. 3rd party providers get hijacked as much or more than anyone else.
08-28-2014 11:10 AM
So does the 3rd party cert with a FQDN that I create with generating the CSR end up being the external DNS name out in cyber space? I don't see that is would be something I would create and put on the internal dns server.
08-30-2014 06:17 AM
Janelle wrote:
Again its not a web page its global protect used only by employees, maybe 6 at most, to remote into the network to do work. I don't understand how global protect could be spoofed like a web page and our home web site is hosted by a 3rd party. I get the feeling people have been programmed to assume that a self signed cert is bad when really its not. 3rd party providers get hijacked as much or more than anyone else.
Sorry, I am not being clear.
Here is what I am trying to say:
Don't teach your users to ignore certificate errors. Issue a certificate from an authority trusted by your users computers on all official employee sites.
When we teach users to ignore errors on our own deploys they just get used to clicking through those errors as a matter of course. This makes them more vulnerable to bad actors.
This is why I believe using untrusted self generated certificates is a bad practice.
08-30-2014 06:21 AM
infotech wrote:
So does the 3rd party cert with a FQDN that I create with generating the CSR end up being the external DNS name out in cyber space? I don't see that is would be something I would create and put on the internal dns server.
Whether or not you need the DNS entry on your internet facing DNS depends on where your users access the service from. With global protect remote access you will likely need that record setup.
If the users are purely employees, you could deploy that record as a hosts file on the company computers via group policy if you don't want a DNS record out there.
I've never done so, but I suppose you could submit the ip address as the FQDN for the certificate. If so, that would pass the first of the three tests run for validity. The name entered into the connection must match the FQDN on the certificate otherwise a certificate error will be triggered.
09-02-2014 11:19 AM
Well to be honest I have a max of 5-6 users of which I am the one that uses this access the most so that is why I am asking so many questions because of the number of user who are mostly the IT staff
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
