Configuring SPNEGO in High Availability

The SPNEGO configuration described in the earlier sections does not apply to high availability because this entire configuration is based on the identification of the firewall used for authentication, i.e., by its serial number.

In high availability, two firewalls do not have the same serial number. In such a configuration, the difference therefore consists of replacing each firewall's identifier (its serial number) with a single name for both members of the cluster.

As the SPNEGO protocol verifies the firewall's full domain name, this identifier must therefore be in the form of a domain.name.

Configuring SPNEGO by modifying the firewall's identifier

In this example, we need to replace https://SN710A000099999999.stormshield.com with https://stormshield.portal.com. To do so, you need to create a server certificate/private key pair under the name of the selected identifier:

  • Either through a root authority created on each of the firewalls
  • Or through specialized organizations such as Verisign, Thawte or others.

In the rest of this section, we will present the method based on certificates signed by a root authority of the firewall.

Creating the certificate authority

On the main firewall:

  1. In the Configuration > Objects > Certificates and PKI module, click on Add and select Add a root CA.
  2. In the CN field, enter the name of the authority (e.g.: CA-SPNEGO).
    The ID suggested by default will take on this name.
  3. In Certificate authority attributes, fill in the Organization (mandatory), Organizational Unit (mandatory), Locality (optional), State or province (mandatory) and Country (mandatory) fields
  4. Click on Next.
  5. Type and confirm the CA password.
  6. Unless there is a specific need, leave the suggested Validity and Key size values as is.
  7. Click on Next.
  8. Indicate any potential CRL distribution points.
  9. Click on Next.
  10. Confirm the creation of the authority by clicking on Finish.

Creating the server certificate

On the main firewall:

  1. In the Configuration > Objects > Certificates and PKI module, click on Add and select Server identity.
  2. In the Fully qualified domain name (FQDN) field, indicate the chosen ID (stormshield.portal.com in the example).
  3. Click on Next.
  4. Select the Certificate authority created earlier (CA-SPNEGO in the example) to sign this certificate.
    The attributes of the certificate are automatically filled in with the authority's attributes.
  5. Enter the CA password;
  6. Click on Next.
  7. Unless there is a specific need, leave the suggested Validity and Key size values as is.
  8. Click on Next.
  9. Confirm the creation of the certificate by clicking on Finish.

Customizing the captive portal

On the main firewall, modify the captive portal so that it presents the ID of the cluster instead of the firewall's serial number:

  1. Go to the Configuration > Users > Authentication menu > Captive portal tab,
  2. In the Certificate (private key) field, select the certificate created earlier.

Finishing the configuration of SPNEGO

Once the certificate has been assigned to the captive portal, SPNEGO configuration will be the same as for the initial procedure for modifying the client configuration on the DNS server, except for the following:

  1. You need to add the entry custom_ID to the DNS server. Therefore the string "firewall_serial_number.dnsdomain" needs to be replaced with custom_ID". In this example, https://SN710A000099999999.stormshield.com is therefore replaced with https://stormshield.portal.com.
  2. When the spnego.bat script is used, the <FW> variable representing the firewall's ID now takes on the value "custom_ID" without the name of the DNS domain. In this example, it is therefore portal;