Connectivity: VPN Certificate Authentication
Also known as RSA-SIG, using certificate authentication (instead of a pre-shared key) to verify your network's identity when connecting to Web Security Service is very secure. This method is ideal if your VPN device is behind a NAT device, as it does not rely on the external IP address or FQDN of your organization's external IP.
This section provides a high-level set of technical requirements required for this this configuration.
Your organization has been provisioned with an account in the WSS, and you have successfully completed the registration of that account.
To confirm this, browse to https://portal.threatpulse.com and log in. If you are unable to log in, verify your account details with Symantec support.
- If you are not certain what type of connection is appropriate for your organization, see Connectivity—About Virtual Private Network (IPsec).
An understanding of how much user traffic will route to the WSS.
The WSS is limited to 500mbit/s of bandwidth per IPSec tunnel. If you expect traffic to exceed that, you must plan your architecture to use an additional tunnel from an additional public IP address for each 500mbit/s block of bandwidth you expect to consume. For example, if one of your sites consumes 900mbit/s of traffic, it must connect to the WSS using at least two IPSec tunnels, each connecting from a unique public IP address. If you're not sure how to configure your VPN device to split your traffic between multiple connections, please contact Symantec support for assistance.
- The following information is required to ensure a successful configuration.
The public IP address or fully qualified domain name (FQDN).
The two closest data center addresses.
All VPN configurations must include a primary and secondary tunnel to the WSS. If one data center connection becomes unavailable, your site's traffic can be routed to a secondary tunnel to an alternate data center. See Reference: Web Security Service Data Center Ingress IPs for geographical IP address information.
The internal network addresses that is the source of data to send to the WSS.
For example, as a best practice do not send intranet resources, such as email and internal web services, through the tunnel. Additionally, exclude the server where the Auth Connector is installed from the tunnel as it makes a direct connection to the WSS through port 443. See Forward Specific User and Group Names to the Service.
A list of intranet destinations to exclude from the IPsec VPN tunnel(s).
- Ensure that your VPN device supports Dead Peer Detection. This feature ensures that if the primary VPN tunnel fails, that failure is detected and the secondary tunnel is used.
- If your VPN device supports IPSLA (Internet protocol service level agreement) and DPD, Symantec suggests that you configure both to ensure maximum uptime.
Your VPN device is configured to permit the necessary traffic outbound for IPsec connections. These are destination UDP ports 500 and 4500, and also packets of type ESP if your network's edge firewall is not using NAT-T.
For additional ports and URLs used in a connection between your network and the WSS, see Reference: Required Locations, Ports, and Protocols.
Blueprint Configuration—Configure Certificate Authentication for VPN Connection(s)
The following blueprint demonstrates a command line configuration. To see a user interface reference configuration for a Cisco ASA device, see https://support.symantec.com/en_US/article.TECH254715.html.
The one-time password (OTP) and authentication token are required to obtain and validate authentication certificates used by the VPN device and the WSS.
- In Service Mode, select Account Maintenance > Integrations.
- Click New Integration.
The New Integration box is displayed.
Select API Credentials from the New Integration menu.
The New API Credential box is displayed.
Copy the Username and Password fields and paste them into a text file for later reference.
- Select the Location Management check if the site of your cert-based VPN uses a dynamic IP address.
- Note the purpose for this set of API credentials in the Comments field.
For example, "Seattle Certificate IPSEC".
- Click Save.
In your browser, enter the API generation string.
Where location_name is the name you assign. For example:
Creates a new location, Store103, and defines it as a cert-based firewall IPsec connection.
The WSS generates the OTP. For example:
Record this value to your planning form or somewhere accessible. You need this string value (without the quotes) when configuring your VPN device in Step 3.2 below.
- The OTP remains valid for one week. After that, you must generate a new one.
If you call a new API but use the same location, you receive a new OTP; however, a 30-day timer begins. At the end of the 30 days, the WSS revokes the previous certificate.
Verify that the WSS created the new location in Service mode, select Network > Locations. Show screen...
Note: The following recommended details are not specific to any VPN device. If you are not certain of your firewall or VPN appliance's supported capabilities, options, or configuration steps, consult Symantec support, as they might be able to advise the best configuration or help you work with your VPN device vendor's support team for assistance.
Symantec partners with Entrust to provide authentication certificates. You must import the 2048-bit certificate to your VPN device.
Because of the complexity of this process, command steps to configure a Cisco IOS device a provided in the following example. Consult your VPN device documentation to determine the analogous steps for your device.
Note: If your VPN device has an expired certificate, see Appendix - Replace an Existing Entrust Certificate on a Cisco Router for steps to update the certificate.
In a browser, navigate to—
Locate the Root Certificate identified by the following:
- Serial Number: 45 6b 50 54
Thumbprint: b3 1e b1 b7 40 e3 6c 84 02 da dc 37 d4 4d f5 d4 67 49 52 f9
- Click Download and open the file in a text editor.
- Access the VPN device CLI.
Create a trustpoint for the CA root certificate.device#configure terminal
device(config)#crypto pki trustpoint entrust2006
device(ca-trustpoint)#enrollment terminal PEM
Import (copy and paste) the root certificate.device(config)#crypto ca authenticate entrust2006
Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself
Certificate has the following attributes:
Fingerprint MD5: D6A5C3ED 5DDD3E00 C13D8792 1F1D3FE4
Fingerprint SHA1: B31EB1B7 40E36C84 02DADC37 D44DF5D4 674952F9
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
% Certificate successfully imported
Verify that the certificate successfully imported.device#show crypto pki certificates entrust2006
Certificate Serial Number (hex): value
Certificate Usage: Signature
cn=Entrust Root Certification Authority
ou=(c) 2006 Entrust Inc.
ou=www.entrust.net/CPS is incorporated by reference
cn=Entrust Root Certification Authority
ou=(c) 2006 Entrust Inc.
ou=www.entrust.net/CPS is incorporated by reference
start date: 20:23:42 UTC Nov 27 2006
end date: 20:53:42 UTC Nov 27 2026
Associated Trustpoints: entrust2006-2 entrust2006 <<--matches the trustpoint configured in Step 1.3->>.
If the device does not already have a key-pair, you must generate one.device(config)#crypto key generate rsa modulus 2048 label
Create a trustpoint for the certificate from the SCEP service (Entrust). IMPORTANT: The trustpoint name must be BlueCoatIssuingCA.
This step requires your OTP that you obtained in Step 1 and the label name. Do not enter the quotation marks—just the value within.device(config)#crypto pki trustpoint BlueCoatIssuingCA
device(ca-trustpoint)#enrollment url http://bluecoatasweb.managed.entrust.com/scep
Authenticate and enroll the trustpoint.device(config)#crypto pki authenticate BlueCoatIssuingCA
device(config)#crypto pki enroll BlueCoatIssuingCA
Verify the successful certificate download.device#show crypto pki trustpoints BlueCoatIssuingCA
device#show crypto pki certificates BlueCoatIssuingCA
In the final step, configure your VPN device to communicate with the WSS, which authenticates the device authentication certificate, and route web-destination traffic to the cloud service. Again, we use a Cisco 891 for this example. Refer to your VPN device vendor's documentation for specific instructions for your device.
Define the Internet Security Association and Key Management Protocol (ISAKMP), which establishes Security Associations (SA) and cryptographic keys (RFC 2408).device#crypto isakmp identity dn
device#crypto isakmp keepalive 10 periodic
device#crypto isakmp nat keepalive 60
device#crypto isakmp aggressive-mode disable
Create a certificate map match to the certificate sent by the Symantec service. The following example (and subsequent example commands) use bccs as the map name. The certificate on the WSS maps the name to *.threatpulse.com.device#crypto pki certificate map bccs 1
name co threatpulse
Create the ISAKMP profile used for the WSS connection. (the name BlueCoat is used only as an example)device#crypto isakmp profile bccs
ca trust-point entrust2006
ca trust-point BlueCoatIssuingCA
match certificate bccs
Define the IPsec transform-sets. The WSS supports many combinations. See Reference: IKE Encryption and Authentication Algorithmsdevice#crypto ipsec transform-set ESP-AES-256-MD5 esp-aes esp-md5-hmac
Configure the IPsec connection. Refer to your planning form for the WSS IP address that you are assigning to this location. In this example and subsequent examples, the crypto map is named BCCS_CMAP_1. Refer to your planning sheet
or this region list.device#crypto map BCCS_CMAP_1 1 ipsec-isakmp
set transform-set ESP-AES-256-SHA
set pfs group5
set isakmp-profile BlueCoat
match address IPSEC_TRAFFIC
Configure the WAN interface to reference the BCCS_CMAP_1 Crypto Map.device#interface GigabitEthernet0
crypto map BCCS_CMAP_1
Define web-destination traffic and NAT rules.device#ip nat inside source list nat_rule interface GigabitEthernet0 overload
device#ip access-list extended IPSEC_TRAFFIC
permit tcp inside_ip_interface subnet any eq www
permit tcp inside_ip_interface subnet any eq 443
device#ip access-list extended nat_rule
deny tcp inside_ip_interface subnet any eq www
deny tcp inside_ip_interface subnet any eq 443
permit ip inside_ip_interface subnet any
Dead Peer Detection (DPD)— Depending on your VPN device and network configuration, Symantec recommends that DPD is set to check every thirty seconds with five retries.
The following is known list of common vendor instructions for DPD:
- Cisco Router info for DPD- Cisco Routers DPD
- Cisco Community DPD Article- Cisco DPD Info
- Checkpoint DPD Info - Checkpoint KB on DPD
- Juniper DPD - Juniper DPD Info
- Palo Alto DPD - Palo Alto DPD KB
- Fortinet Fortigate DPD - Fortigate DPD
- If your manufacturer is not listed, consult their website or support team for assistance with this feature.
The following knowledge base articles cover the most common issues faced by network administrators working with VPN tunnels and their remedies.
- Data to collect before opening a support case with Symantec support: https://knowledge.broadcom.com/external/article?legacyId=TECH203533
Data Center Egress IP Addresses. The following articles list the public IP addresses used to reach Internet resources from Web Security Service service worldwide.
If you already have an Entrust Certificate installed on your Cisco router, but it expires, follow these steps to re-generate it. For this example EntrustCA is used as a placeholder for the CA Identity on the router. You will need to change the commands below from EntrustCA to the identity that you used in configuring your router for Entrust.
- In config t mode on the router, type no crypto ca certificate chain EntrustCA to remove the existing certificates on the router.
- Type crypto ca authenticate EntrustCA to get another CA certificate.
- Type crypto ca enroll EntrustCA to enroll the device.