Support for Let's Encrypt certificates
Thomas_Buergis
Enthusiast ✭✭
in SSL VPN
We need support for Let's Encrypt certificates. All the main competitors do have Let's Encrypt support on their firewalls.
SonicWall supports Let's Encrypt on the SMA 100 and 1000 product lines. Let's Encrypt for the SSL-VPN on the firewall; it is a no-brainer.
Category: SSL VPN
Tagged:
1
Comments
@Thomas_Buergis on one hand I would love the idea to get LE certs easily on the Firewall but on the other hand I don't like the idea of having Ports 80 and 443 open to the public connecting directly to the Firewall. I stick to the rule to keep the attack surface as small as possible.
With a single IP assigned to the WAN it wouldn't be easy to accomplish that anyways if you're running a Webserver in the DMZ.
Sadly there is no way to limit the Access, because LE does not disclose a list of validation servers.
--Michael@BWC
(Disclaimer: I'm not a network technician by trade, I am an OS technician - my grasp of the subtleties may be lacking. Read: please point out my mistakes. A lot of my LE knowledge comes from hobbyist configurations of linux webservers and using a R-Pi as a private cloud server.)
Our connection has 5 IPv4 addresses. Our first address provides internet access for users and the SSL VPN connection in. Out second address provides a webserver (on a VM, on a VLAN) which has its own LE configuration. Our first IP has port 443 open for VPN SSL; port 80 is not. It is currently using a self-signed cert for VPN connections.
Port 80 and 443 are necessary for LE implementations and renewals. Once a cert is applied, would it not be trivial to have all port 80 requests forwarded to 443 on same FQDN as part of a configuration utility, like LE does on an Apache2 webserver? And would that be nice and secure on a SonicWall?
Ours would be an ideal scenario, I think, to have the same LE utility as SMA products on our NSA2700. And not everybody wants to host a webserver on a DMZ while also allowing mobile workers to connect. The question is, if the sonicwall device supports NetExtender, why not LE?
I agree LE support would be nice, but HTTP challenge mechanism requires 80/443 open from everywhere. That is the problem. For the sake of saving a small amount of money vs. a paid-for cert, it is simply not worth it.
Sonicwall could implement the other challenge types.