Main Menu
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
SonicWall
  • Products
    • Network Security
      • Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
      • Security ServicesComprehensive security for your network security solution
      • Network Security ManagerModern Security Management for today’s security landscape
    • Advanced Threat Protection
      • Capture ATPMulti-engine advanced threat detection
      • Capture Security applianceAdvanced Threat Protection for modern threat landscape
    • Access Security
      • Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
      • Secure Mobile AccessRemote, best-in-class, secure access
      • Wireless Access PointsEasy to manage, fast and secure Wi-FI
      • SwitchesHigh-speed network switching for business connectivity
    • Email Security
      • Email SecurityProtect against today’s advanced email threats
    • Cloud Security
      • Cloud App SecurityVisibility and security for Cloud Apps
      • Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
    • Endpoint Security
      • Capture ClientStop advanced threats and rollback the damage caused by malware
      • Content Filtering ClientControl access to unwanted and unsecure web content
    • Product Widgets
      • Product Menu Right Image
      • Capture Cloud Platform
        Capture Cloud Platform

        A security ecosystem to harness the power of the cloud

    • Button Widgets
      • Products A-Z
        all products A–Z FREE TRIALS
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure WiFi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • English English English en
  • BLOG
  • CONTACT SALES
  • FREE TRIALS
  • English English English en
SonicWall
  • Products
    • Network Security
      • Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
      • Security ServicesComprehensive security for your network security solution
      • Network Security ManagerModern Security Management for today’s security landscape
    • Advanced Threat Protection
      • Capture ATPMulti-engine advanced threat detection
      • Capture Security applianceAdvanced Threat Protection for modern threat landscape
    • Access Security
      • Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
      • Secure Mobile AccessRemote, best-in-class, secure access
      • Wireless Access PointsEasy to manage, fast and secure Wi-FI
      • SwitchesHigh-speed network switching for business connectivity
    • Email Security
      • Email SecurityProtect against today’s advanced email threats
    • Cloud Security
      • Cloud App SecurityVisibility and security for Cloud Apps
      • Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
    • Endpoint Security
      • Capture ClientStop advanced threats and rollback the damage caused by malware
      • Content Filtering ClientControl access to unwanted and unsecure web content
    • Product Widgets
      • Product Menu Right Image
      • Capture Cloud Platform
        Capture Cloud Platform

        A security ecosystem to harness the power of the cloud

    • Button Widgets
      • Products A-Z
        all products A–Z FREE TRIALS
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure WiFi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • Menu

Controlling Access to a Realm without an Authentication Server by Using Device Profiles and Client

03/26/2020 4 People found this article helpful 95,909 Views

    Download
    Print
    Share
    • LinkedIn
    • Twitter
    • Facebook
    • Email
    • Copy URL The link has been copied to clipboard

    Description

    Controlling Access to a Realm without an Authentication Server by Using Device Profiles and Client Certificates

    Resolution

    Overview

    This article demonstrates how to configure the appliance for null authentication, and then use a client certificate as a device watermark.  The client certificates used in this article have been issued by a Microsoft Certification Authority server.

    Use the following procedure to import a CA root certificate into the appliance, configure the zone and device profile, assign it to a realm/community, request a client certificate, and install the certificate on the client machine.  It is assumed you already have a realm configured without an authentication server.

    Procedure

    Importing the CA Root Certificate

    You must first obtain a CA root certificate.  For the Microsoft CA Service, follow this procedure:

    1. Open the Certification Authority MMC.
    2. Right-click on the name of the CA and then select Properties.
    3. On the General tab, highlight the CA certificate you want and click View Certificate.
    4. Click the Details tab, and then click Copy to File.
    5. Export the certificate as a Base-64 encoded X.509 file (.CER) file.
    6. In AMC, select SSL Settings, and then click Edit in the CA Certificates section.
    7. Click New.
    8. Browse to the file that was created earlier and select it.
    9. Under the Usage section, enable the Device profiling (End Point Control) check box.
    10. Click Import.

    Creating the Zone and Device Profile

    1. In AMC, select End Point Control.
    2. Click New, and then select Standard Zone.
    3. Type a name for the zone.
    4. Under All Profiles, click New.
    5. Select Microsoft Windows.
    6. Type a name for the profile.
    7. Under Add attribute(s), select Client Certificate from the Type drop-down list.
    8. Select the appropriate certificate vendor from the Vendor list.
    9. Enable the System store and user store check box next to Look in: section.
    10. Click Add to Current Attributes.
    11. Click Save. The window closes.
    12. On the Zone Definition page, select the profile you just created, and then click the >> button to assign it to the In Use field.
    13. Click Save.

    Assign the Zone to a Community

    1. From the list of standard zones, select the client certificate zone you just created, and then click the >> button to assign it to the In Use field.
    2. Click OK.
    3. Click Save.
    4. Apply these changes.

    Requesting and Installing a Client Certificate from the Microsoft CA Server

    1. Using Internet Explorer, go to the address of your Microsoft CA server.
    2. Click Request a certificate.
    3. Click advanced certificate request.
    4. Click Create and submit a request to this CA.
    5. Select User under the Certificate Template drop-down list.
    6. Select Mark keys as exportable and Enable strong private key protection.
    7. Click the Submit > button at the bottom of the page.
    8. When prompted, click Yes to the message that discusses allowing trusted sites to request certificates for you.
    9. Click OK to the Creating a new RSA exchange key.
    10. Click Install this certificate and then click Yes to the warnings.

    Using the same certificate on multiple clients

    If you want to copy this certificate to multiple clients, you can export it from the browser store from which it was first installed.

    1. Launch Internet Explorer.
    2. Click on Tools and then choose Internet Options.
    3. Click on the Content tab.
    4. Click Certificates.
    5. Select the Personal tab, and then select the appropriate certificate.
    6. Click Export.
    7. Click Next.
    8. Select the Yes, export the private key option, and then click Next.
    9. Select the following options for Export File Format:
      • Personal Information Exchange PKCS #12 (.pfx)
      • Include all certificates in the certification path, if possible
      • Enable Strong Protection.
    10. Click Next.
    11. Enter a password and then select a location and name for the certificate file.
    12. Finish the export of the certificate.
    13. The resulting .pfx file can be imported to any Windows client from the same location from which it was exported.

    Going further

    Because the realm is configured with no authentication server, you can set up a Deny Zone for users who do not have the client certificate.

    Related Articles

    • CT with Device Guard is stuck on Identifying when GVC Client is installed
    • SMA1000: CT compatibility with 3rd party VPN clients like GVC, Citrix and Fortinet
    • How can I upgrade firmware in SMA 1000 series appliance?

    Categories

    • Secure Mobile Access > SMA 1000 Series

    Not Finding Your Answers?

    ASK THE COMMUNITY

    Was This Article Helpful?

    YESNO

    Article Helpful Form

    Article Not Helpful Form

    Company
    • Careers
    • News
    • Leadership
    • Awards
    • Press Kit
    • Contact Us
    Popular resources
    • Communities
    • Blog
    • SonicWall Capture Labs

    Stay In Touch

    • By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. You can unsubscribe at any time from the Preference Center.
    • This field is for validation purposes and should be left unchanged.
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
    • Instagram

    © 2022 SonicWall. All Rights Reserved.

    • Legal
    • Privacy
    • English
      Scroll to top
      Trace:957d8e7b1ca3887eccd6a78a7ba67e6e-76