5 Replies Latest reply on Apr 28, 2010 1:33 PM by sliedl

    Enterprise Firewall mediating digital certificates


      Wanted to take the following doubts about the Firewall and Digital Enterprise

      I have the following scenario, eight web servers and the firewall on the edge, I work with digital certificate public, but I was wondering if the firewall can mediate the certificates to the server for example.

      Instead I buy eight certificads Verisign for example, buy only one, this single certificate would be on the firewall, and it would serve to create secure communication with the eight servers. He can work this way.
      I do not know if he could for example make that corresponded to another single license certificate generated on it own, in the Firewall, and this certificate account for the connection encrypted and secure firewall with eight servers, does he do this?

      I thank you

        • 1. Re: Enterprise Firewall mediating digital certificates

          The firewall does not encrypt communication between itself and the 8 servers you have behind it.


          It can pass HTTPS through itself to these servers obviously (thus it is encrypted).  Or, you can do what's called SSL Decryption on the firewall.  You load the certificate onto the firewall.  You set up your HTTPS application defense to do SSL Decryption and you select the appropriate certificate.  Then, the firewall has an encrypted session between itself and the client connecting to it.  It then decrypts this connection and passes it in the clear to your web server(s) on your internal network.  When they respond back, the Sidewinder re-encrypts the connection back out to the client using the certificate you loaded.  You could do this for all 8 servers using 8 different HTTPS Application Defenses.

          • 2. Re: Enterprise Firewall mediating digital certificates

            True, but if so I would have to have a license for each server, correct?

            not only serve as a certificate for the eight servers.!

            • 3. Re: Enterprise Firewall mediating digital certificates

              No, licensing has nothing to do with this.


              I guess I don't understand what your concerns are.  Can you give more detail please?

              • 4. Re: Enterprise Firewall mediating digital certificates

                than the licensee, excuse me, doubt is about the same digital certificate.

                type will work with digital certificates on web servers (eight), for which this certificate is requested when you accessed the site hosted in servdores my network, my question is if the firewall could mediate these certificates, allowing me to place only one certificate responding for the eight servers, and not eight certificates, one for each, but from what I told the firewall not intermedia anything, it just makes the inspection. Correct?

                • 5. Re: Enterprise Firewall mediating digital certificates

                  You could place all 8 certs. on the firewall and then use 8 different rules to do SSL decryption to each of your servers.


                  You cannot have 1 cert. that encompasses all 8 of your other certificates.  If you connect to 'ftp.yourdomain.com' and the firewall returns the cert. 'fw.yourdomain.com' you're going to get a certificate error (in whatever client you're using) because the hostname you're connecting to does not match your certificate.  You can't have one cert that 'pretends' to be all the other certs. (what's the point of using certificates if you can fake them?).


                  Either you load all 8 on your firewall and do SSL decryption or you simply redirect/pass HTTPS traffic to each of the 8 servers (and thus they would send their certs. [which match their hostnames] to the client that is connecting to them).  I would choose the second option myself.