Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Configuring a CRL Distribution Point Web Proxy

 

If your network security policies prohibit SBR Carrier from making a direct HTTP connection to a CRL distribution point (CDP), you can configure an HTTP proxy server to relay requests for updated certificate revocation lists to an external CDP.

To configure a CDP web proxy server using the Web GUI:

  1. Select RADIUS Configuration > Authentication Policies > CDP Web Proxy Configuration.

    The CDP Web Proxy Settings page (Figure 90) appears.

    Figure 90: CDP Web Proxy Settings Page
    CDP Web Proxy
Settings Page
  2. Specify whether you want SBR Carrier to use a proxy to connect to an external CDP.

    • If you select the Connect Directly to Internet option button, SBR Carrier can connect to an external CDP without going through an HTTP proxy. If you select this option, you can skip the rest of this procedure.

    • If you select the Connect to Internet via Proxy option button, SBR Carrier must go through an HTTP proxy to connect to a CDP.

  3. If you have selected the Connect to Internet via Proxy option button, enter the name or IP address and port number of the HTTP proxy in the HTTP Proxy and Port fields.

  4. Optionally, enter names or IP addresses of hosts or the names of domains (separating each entry with a comma or semi-colon) for which no HTTP proxy is required in the No Proxy For field. If a CDP host matches an entry in this field, SBR Carrier bypasses the HTTP proxy and attempts to open a connection to the host directly.

    SBR Carrier compares IP addresses and hostnames using an exact string match. For example, if you enter cdp.juniper.net in the exclusion list, that matches the CDP hostname cdp.juniper.net but not host.cdp.juniper.net or host-cdp.juniper.net.

    To exclude all hosts within a domain (but not the hostname that matches the domain name), start the domain name with a period (.juniper.net). To exclude both the host and the domain juniper.net, create two entries in the exclusion list (.juniper.net, juniper.net).

    Wildcard matching for host or domain names is not supported.

    The values localhost and 127.0.0.1 are included in the No Proxy For list by default.

  5. You can click Flush CRL Caches to purge all information in the TLS and TTLS CRL caches immediately. This removes all CRL entries for registered clients from the in-memory cache and deletes all files from the CRL cache directories.

    Caution

    If you click the Flush CRL Caches button, the caches are purged immediately. You are not prompted to confirm your action.

  6. Click Save to save the changes.