Custom SSL Certificate questions for MX75

Solved
JRW_techlady
Here to help

Custom SSL Certificate questions for MX75

New user of Meraki MX75 ASA here.  We had Cisco Secure Client VPNs set up on our ASA 5516 that the MX75 replaced which required getting an SSL cert from a CA for our subdomain, webvpn.domain.org, applying that SSL cert to our ASA, and adding an A record pointing that domain to the public IP on the outside interface of the ASA in our public DNS records which are hosted.  Trying to duplicate that setup on the MX75 to avoid certificate errors.  If I go through the process of getting a CSR from Meraki and applying the SSL cert files for the subdomain, do I need any kind of entry in our hosted public DNS?  Or does the old A record simply need to be removed and Meraki now handles these VPN DNS requests to access our subdomain?  I cannot find any real documentation to clarify.  Anyone know?  Any other gotchas I need to be aware of?   Thanks in advance.

1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal

A custom certificate will resolve that issue.

 

I still think it is easier to get users to connect to the DDNS name ...

 

You can use this tool to create a custom profile:

https://ifm.net.nz/cookbooks/online-anyconnect-profile-editor.html

 

And then load that into the Meraki Dashboard.  The first time users connect using the old DNS name, they'll get the error and download the profile.  The second time they connect, they'll see your profile and won't get an error.

 

You can also manually copy the profile to their machines.  The directory locations is in the link above.

View solution in original post

12 Replies 12
rhbirkelund
Kind of a big deal
Kind of a big deal

Updating the DNS A record to the new WAN IP of the MX75 should be enough. 

 

Remember, if you have MX'es in Warm Spare, you'll need to sign a certificate for the Spare MX as well, since it is device specific. 

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
JRW_techlady
Here to help

Thanks for the reply.  In order for this to work, will I need to put the public IP in the CSR request as a SubjectAltName?  I watched a YouTube video that showed that's how they did it.  I really would like this to work on the first attempt.  Or, does Meraki automatically send the request to the configured public IP (WAN uplink) on the device?  No warm spare - just a single MX75 for a small network.  Thanks for your help.

PhilipDAth
Kind of a big deal
Kind of a big deal

If you really want to do this - and I advise you against doing it - follow the custom certificate procedure in this document.

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/Managing_and_Troublesh...

 

PhilipDAth
Kind of a big deal
Kind of a big deal

While you can do that - it is not something that is typically done anymore.

 

The Meraki MX will automatically install and renew certificates configured using its DDNS name.  As long as your AnyConnect clients use that - you never have to touch certificates again.

https://documentation.meraki.com/MX/Other_Topics/Dynamic_DNS_(DDNS)

 

JRW_techlady
Here to help

Sorry for the late reply.  I've been further investigating pros and cons and am still unsure.

 

1.  I realize that using the DDNS name is easiest.  However, we only have a handful of users already connecting using the Secure client on company issued laptops via the subdomain for a long time now with our old ASA.  The DDNS name is long and hard to remember and I have to retrain users.

 

2.  We do not have a profile push set up to change that in the profile (which I read about doing), and are using manually created Meraki auth for them to connect so that would be more for me to figure out.

 

3.  I have an existing SSL cert from godaddy for the subdomain that I can request a re-key for with a CSR from Meraki so I can go through the custom cert process.  The existing cert is valid for some time yet.

 

Even if it's not typical, the custom certificate option seems the best for us, but I could be wrong.  Pros? Cons? Gotchas?

 

And per my original question, IF I do that, what and how does this affect my public DNS record?  Still an A record for the subdomain for my outside IP?  Or, a CNAME record to something at Meraki?  Or, no record needed there at all?

 

Thanks!

PhilipDAth
Kind of a big deal
Kind of a big deal

>CNAME record to something at Meraki?

 

I would make it a CNAME to the Meraki DDNS record.

JRW_techlady
Here to help

To be honest, that's what I currently have in place (thinking that would work), but obviously, Meraki picks up on that somehow and returns a certificate error to users that it's not a secure connection.  Right now, they are having to click through a 'connect anyway' prompt.  So, I was hoping that doing the custom certificate setup and having my DNS record put back to an A record pointing to our outside IP would resolve.  But, maybe not?  I frankly was very surprised that the error appeared.  When we tested and manually entered the DDNS name, it worked without error.

 

Thanks  again for your response.  I'm headed home, so if you reply to this, I'll see it tomorrow. 🙂

PhilipDAth
Kind of a big deal
Kind of a big deal

A custom certificate will resolve that issue.

 

I still think it is easier to get users to connect to the DDNS name ...

 

You can use this tool to create a custom profile:

https://ifm.net.nz/cookbooks/online-anyconnect-profile-editor.html

 

And then load that into the Meraki Dashboard.  The first time users connect using the old DNS name, they'll get the error and download the profile.  The second time they connect, they'll see your profile and won't get an error.

 

You can also manually copy the profile to their machines.  The directory locations is in the link above.

GIdenJoe
Kind of a big deal
Kind of a big deal

I tried the CNAME route once but then the cert would still fail to be trusted.

I found it easier to just deploy profiles to the end users that contain a user friendly name towards the dynamic-m.com URL.

JRW_techlady
Here to help

Can you verify this is the process & walk through what goes in the blanks on the profile editor?  This sounds easy.

 

1. Use profile editor link given earlier and download and save a profile file:

*VPN name #1: assuming webvpn.domain.org ??

*Hostname/Outside IP address #1:  assuming our outside/public IP of the Meraki device or the Meraki DDNS hostname ?

*VPN type #1: Defaults to TLS (IKEv2-Username & IKEv2-Cert also available).  We are using Meraki auth, so username or TLS?

 

2.  Log into Dashboard and go to Secure Client VPNs, and enable Profile Update, then upload the profile you created and saved and save changes.

 

Is that it?  What do I do about the CNAME entry in our public DNS?  Leave it pointing the the DDNS hostname, or does it need to be removed?

 

This method will update their profile on first signon via Secure Client and then Meraki takes care of SSL certificate and my purchased one is no longer needed?

 

Thanks so much.

 

 

PhilipDAth
Kind of a big deal
Kind of a big deal

VPN Name is usually your company name, "ABC Ltd".  It can be anything.  It is what the users see as the name in the drop-down list.

 

The hostname should be the DDNS FQDN.  You should be able to put this into AnyConnect and connect using it.

 

Meraki only supports TLS.

 

Yep, just enable and upload the profile.  You can test it on a machine first by copying it into the profile directory on that web page.  Note that you must restart AnyConnect for it to recognise the new profile if you copy the file into is profile directory.

JRW_techlady
Here to help

We opted for the profile option using the linked profile editor for creation of the .xml file.

 

It worked like this:

 

Created a profile with a different name than our already-used webvpn.domain.org, went to Client VPN settings in dashboard and Enabled 'Profile Update' then clicked Choose File and navigated to the location of the saved .xml file, clicked open, then clicked to save in the Meraki dashboard.

 

Tested by loading a laptop pre-loaded with the Cisco Secure client from an off-network location, opening the client, entering the Meraki DDNS hostname and connecting.  NOTE:  Depending on the secure client settings, you might have to go into those settings and uncheck a Block Untrusted Connections box before completing these steps.

 

A pop up appeared saying the Certificate was untrusted.  Clicking on "Connect Anyway" allowed the VPN to establish AND auto downloaded the profile for future connections.

 

Signed off of the VPN, closed Secure Client and reopened it and this time, the server name field was pre-populated with the VPN Name contained in the profile.  Connecting to that VPN Name established the VPN without error.

 

Definitely the easiest way to accomplish what we needed and more cost effective!

 

Many thanks to the community and especially @PhilipDAth who didn't appear to get irritated by my many questions.

Get notified when there are additional replies to this discussion.