1

We recently purchased a Watchguard XTM 510. The hope is to replace our ISA 2006 proxy with this UTM product. We are having some issues with secured sites in our test setup. Currently We are still running traffic through the ISA server and I have the Watchguard also setup to be connected to the network. Where we run into problems is when I set in ISA the HTTPS site's location to be forwarded through the XTM, I get a certificate could not be validated error.

Therefore I think Ive narrowed it down to two possibilities. One, the certificate needs to be installed on the XTM. Im not 100% sure this is the case as I believe this should just be acting as strictly a proxy and forwarding all the traffic through no questions asked. Either way if I try to import a certificate to the XTM I always get a certificate validation failed error message. These are generally converted pfx to pem files.

Second, the XTM CA certificate needs to be installed on the ISA server so that they may communicate. I have done this but it didn't seem to do anything.

I believe this should be working and was hoping someone has struggled through this before.

Bill Best
  • 165
  • 2
  • 8

1 Answers1

2

I actually was able to figure it out. The certificates did need to be imported into the Watchguard. What the issue with importation was was that the Watchguard could not validate the entire certificate path.

To solve this I went through the Trusted CA list on the device and exported all the Valicert and Godaddy certificates that were applicable. Then I re-imported them as CA certificates by selecting the Other radio button on the import dialog.

After that I was able to import our Godaddy certificate no problem.

Bill Best
  • 165
  • 2
  • 8
  • I also had to run 'openssl x509 -in stuff.crt -text' to find a line with the CA Issuers which included a link to the proper starfield (goDaddy's alternative CA) and picked up that cert and imported it. Then everything worked fine. WatchGuard: If you see this, please improve your error reporting in this area. The errors are no help at all. – flickerfly Oct 30 '14 at 18:37