Using certificates to secure communications to external components

You can use certificates to secure communications from the SMC servers or NGFW Engines to external components.

You can use certificates to secure the following types of communications:

  • Forwarding log or audit data from the Management Server or Log Server to external syslog servers.
  • LDAP connections between the NGFW Engine and external LDAP or Active Directory servers.
  • Communication between NGFW Engines and the Forcepoint User ID Service server.

    For information about configuring the Forcepoint User ID Service server to communicate with NGFW Engines, see the document How to integrate Forcepoint User ID Service with other Forcepoint products and Knowledge Base article 14100.

The configuration consists of the following general steps:

  1. Define the trusted certificate authority for securing communications with external components in one of the following ways:
    • Use one of the default Trusted Certificate Authority elements.
    • Create a Trusted Certificate Authority element and import an external CA’s certificate.
    • Use the Management Server's internal certificate authority.

      Export the active internal CA's certificate, then configure the external component to trust the internal CA.

  2. Create a TLS Profile element.

    TLS Profile elements define the following settings:

    • Settings for cryptography
    • Trusted certificate authorities
    • TLS version
  3. To verify the identity of the TLS server to secure the TLS-protected traffic from the Log Server or the Management Server, configure TLS server identity.

For example, if you want to use the Forcepoint User ID Service server's certificate to secure communications from Forcepoint User ID Service to the NGFW Engine, you must create a Trusted Certificate Authority element to represent the CA, then select the CA as a trusted CA in the TLS Profile element that is used in the Forcepoint User ID Service configuration on the NGFW Engine.