WatchGuard Technologies SSL VPN Benutzerhandbuch
Troubleshooting
146
Firebox SSL VPN Gateway
Internal Failover
If internal failover is enabled and the administrator is connected to the Firebox SSL VPN Gateway, the
Administration Tool cannot be reached over the connection. To fix this problem, enable IP pooling and
then connect to the lowest IP address in the pool range on port 9001. For example, if the IP pool range
starts at 10.10.3.50, connect to the Administration Tool using 10.10.3.50:9001. For information about
configuring IP pools, see “Enabling IP Pooling” on page 94.
Administration Tool cannot be reached over the connection. To fix this problem, enable IP pooling and
then connect to the lowest IP address in the pool range on port 9001. For example, if the IP pool range
starts at 10.10.3.50, connect to the Administration Tool using 10.10.3.50:9001. For information about
configuring IP pools, see “Enabling IP Pooling” on page 94.
Certificate Signing
There are several server components that support SSL/TLS, such as the Firebox SSL VPN Gateway,
Secure Gateway, and SSL Relay. All of these components support server certificates issued either by a
public Certificate Authority (CA) or by a private Certificate Authority. Public CAs include organizations
such as Verisign and Thawte. Private CAs are implemented by products such as Microsoft Certificate Ser-
vices.
Certificates signed by a private CA are sometimes described as enterprise certificates or self-signed certifi-
cates. In this context, the term self-signed certificate is not technically accurate; such certificates are
signed by the private CA. True self-signed certificates are not signed by any CA and are not supported
by the server components, because there is no CA to provide a root of trust. However, as described
above, certificates issued by a private CA are supported by the server components because the private
CA is the root of trust.
Secure Gateway, and SSL Relay. All of these components support server certificates issued either by a
public Certificate Authority (CA) or by a private Certificate Authority. Public CAs include organizations
such as Verisign and Thawte. Private CAs are implemented by products such as Microsoft Certificate Ser-
vices.
Certificates signed by a private CA are sometimes described as enterprise certificates or self-signed certifi-
cates. In this context, the term self-signed certificate is not technically accurate; such certificates are
signed by the private CA. True self-signed certificates are not signed by any CA and are not supported
by the server components, because there is no CA to provide a root of trust. However, as described
above, certificates issued by a private CA are supported by the server components because the private
CA is the root of trust.
Certificate Revocation Lists
Certificate Revocation Lists (CRLs) cannot be configured by the administrator. When a user connects to
the Firebox SSL VPN Gateway using a client certificate, the Firebox SSL VPN Gateway uses the cRLDistri-
butionPoints extension in the client certificate, if it is present, to locate relevant CRLs using HTTP. The cli-
ent certificate is checked against those CRLs.
the Firebox SSL VPN Gateway using a client certificate, the Firebox SSL VPN Gateway uses the cRLDistri-
butionPoints extension in the client certificate, if it is present, to locate relevant CRLs using HTTP. The cli-
ent certificate is checked against those CRLs.
Retrieving CRLs using LDAP is not supported.
Network Messages to Non-Existent IPs
If an invalid sdconf.rec file is uploaded to the Firebox SSL VPN Gateway, this might cause the Firebox SSL
VPN Gateway to send out messages to non-existent IPs. A network monitor might flag this activity as
network spamming.
To correct the problem, upload a valid sdconf.rec file to the Firebox SSL VPN Gateway.
VPN Gateway to send out messages to non-existent IPs. A network monitor might flag this activity as
network spamming.
To correct the problem, upload a valid sdconf.rec file to the Firebox SSL VPN Gateway.
The Firebox SSL VPN Gateway Does not Start and the Serial Console Is Blank
Verify that the following are correctly set up:
• The serial console is using the correct port and the physical and logical ports match
• The cable is a null-modem cable
• The COM settings in your serial communication software are set to 9600 bits per second, 8 data
• The cable is a null-modem cable
• The COM settings in your serial communication software are set to 9600 bits per second, 8 data
bits, no parity, and 1 stop bit
The Administration Tool Is Inaccessible
If the Firebox SSL VPN Gateway is offline, the Administration Tool is not available. You can use the
Administration Portal to perform tasks such as viewing the system log and restarting the Firebox SSL
VPN Gateway.
Administration Portal to perform tasks such as viewing the system log and restarting the Firebox SSL
VPN Gateway.