Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vpereira
Staff
Staff

Created on ‎10-22-2021 01:57 AM Edited on ‎09-22-2023 07:32 AM By Moderator

Article Id 193183

Technical Tip: ACME certificate enrollment with SSL VPN

Description


This article describes how to configure ACME Certificate support when simultaneously using the same port for SSL VPN. 

 

Related document:
ACME certificate support


Solution


When ACME certificate support is configured, select an interface that will receive and reply to ACME connections, usually this port will be the same as the SSL-VPN port.

 

JeanPhilippe_P_0-1695392751747.png

 

However, if 'Redirect HTTP to SSL-VPN' setting is enabled, it will not be possible to select the same port for the ACME interface and it not be possible to move forward. If this is the case, it will be necessary to disable the setting 'Redirect HTTP to SSL VPN' on the SSL VPN settings to be able to use the same port for SSL VPN and ACME. Nevertheless, the restrictions mentioned in the Fortinet documentation linked above still maintained:

 

  •  

    The FortiGate must have a public IP address and a hostname in DNS (FQDN) that resolves to the public IP address. If not having a public DNS record, it is possible to use FortiGuard DDNS by following this article: Technical Tip: How to configure Dynamic DNS FortiGate.

  • The configured ACME interface must be public-facing so that the FortiGate can listen for ACME update requests. It must not have any VIPs, or port forwarding on port 80 (HTTP) or 443 (HTTPS).

  • The Subject Alternative Name (SAN) field is automatically filled with the FortiGate DNS hostname. It cannot be edited, wildcards cannot be used, and multiple SANs cannot be added.


JeanPhilippe_P_1-1695393024805.png

 

 

 

Best Practices:

  1. Regularly Monitor ACME & Certificates: Ensure that the ACME process is running smoothly and that certificates are being renewed before expiration. Set up alerts or reminders for certificate expiry dates.

  2. Backup Configuration: Always back up the configuration before making changes. This action provides a safety net in case something goes wrong.

  3. Review Security Settings: Periodically review the security settings on the ACME and SSL-VPN interfaces. Ensure they conform to the latest best practices and recommendations.

  4. Stay Updated: Fortinet, like many vendors, frequently releases updates and patches. Ensure the device is updated to benefit from the latest features and security patches.

Integrating ACME certificate support with SSL VPN on a FortiGate device provides an automated certificate management solution, essential for maintaining secure remote access. By understanding the intricacies of the setup and adhering to best practices, administrators can ensure a seamless and secure user experience.

Labels:
6633
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.