Configure transparent authentication using a virtual HTTPS URL with SSL certificate issued from a Microsoft PKI server on ProxySG or Advanced Secure Gateway

book

Article ID: 168798

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

Configuring a transparent ProxySG or Advanced Secure Gateway (ASG) to successfully authenticate users using a HTTPS based virtual URL.

 

Environment

  • The organization's Root CA certificate is already deployed as a Trusted CA certificate in the browsers.
  • SSL traffic is being intercepted; if this is not the case and the first site a user visits happen to be https based, then they will get the following errorUser-added image

see Failure to authenticate a tunneled SSL request

  • Authentication Realm is configured
  • Windows 2008 Enterprise Server R2 SP1 Enterprise PKI was used to generate a certificate.

Resolution

The high level steps to configuring a transparent ProxySG or Advanced Secure Gateway (ASG) to successfully authenticate users using a HTTPS based virtual URL are:

  1. Ensure that the ProxySG or ASG has the time and date set up correctly.
  2. Create the keyring on the ProxySG or ASG

  3. Create a certificate on the Microsoft PKI server

  4. Import the certificate to the ProxySG or ASG

  5. Create a new Service and Listener to intercept the redirected authentication requests.

  6. Configure the authentication realm to use the virtual URL

  7. Add policy to enable authentication

  8. Verify that users are being authenticated

Step 1 Ensure that the ProxySG or ASG has time and date set up correctly.

The recommendation is to set up the ProxySG to get its time from a reputable and reliable time source.

  1. To review your NTP settings on the ProxySG, please log in to the Management Console (https://:8082/) and select Configuration > General > Clock
Note: any discrepancies between the date and time in certificates created by the ProxySG and the actual time can cause unexpected behavior, as such it is important that the time on the ProxySG be set up correctly before proceeding.

 

User-added image
 
 

Step 2 Create the keyring on the ProxySG or ASG

  1. Select Configuration > SSL Keyrings.  Click on Create to create a new keyring for the ProxySG.
  2. Give the keyring a meaningful name, in this example we will use Authentication-KR.
  3. Select Show Keypair.
  4. Set the size as required, the default is 2048 bits. 
  5. Click OK and Apply to save your changes.
User-added image
  1. Now select the keyring just created and click Edit
  2. Click Create under Certificate Signing Request at the bottom.
  3. Fill in appropriate information into the request.
Note: When filling out this CSR it is important to make sure that the Common Name matches the DNS name of the ProxySG, otherwise the web browser will return a warning that it does not trust the certificate. 
  1. Click OK, then Close, then Apply.
User-added image
  1. Edit the Keyring. At the bottom you will now see a certificate signing request (CSR).  Copy this text to the clipboard.  Click Close.
User-added image
  1. Save the CSR that you copied to the clipboard to a text file and give it a meaningful name such as authentication.csr.

Step 3 Create a certificate on the Microsoft PKI server

  1. Login to your Microsoft Active Directory Certificate Services server, the default url is http:///certsrv/
  2. Click Request a certificate
User-added image
  1. Click on Advance certificate request
User-added image
  1. Paste the CSR into the Base-64-encoded certificate request *CMC or PKCS#10 or PKCS#7) dialog box.
  2. Select Web Server in Certificate Template then click on Submit
Note: If you do not select the Web Server template you may find that some browsers will not accept the emulated certificate from the ProxySG and the user will get an untrusted warning exception.

 

User-added image
  1. Select Base 64 encoded then click on Download certificate
Note: when you download the certificate, make sure to rename it to something meaningful, in this example it is authentication.cer
 
User-added image
  1. If you've already imported your root servers CA you can skip steps 8 through 11
  2. Click Home in the top right corner of the page.
  3. Click Download a CA certificate, certificate chain, or CRL
User-added image
  1. Select the appropriate CA Certificate from the list at the top, select Base 64 as the encoding method and click Download CA certificate.
User-added image
  1. Again make sure to rename the CA certificate to something meaningful in this example it is madlab CA certificate.csr

Step 4 Import the certificate to the ProxySG or ASG

  1. In the Management Console on the ProxySG, select Configuration > SSL Keyrings.  Select the Authentication-KR created earlier and click Edit.
  2. Click Import, under Certificate.
  3. Open the authentication.cer file in a text editor and copy the contents to the clipboard, then paste in the Import Certificate dialog box. Click OK then Close and then Apply to save your changes.
Note: if you happen to import the contents of the wrong certificate into this dialog box, when you click apply, you will get an error message similar to
"The private key in the certificate "Authentication-KR" does not match the one in the keyring"
 
User-added image
 
  1. Add the Root CA, (if it hasn't already been added) madlab Root CA (certificate.cer), and the ProxySG CA certificate (authentication.cer) to the list of CA certificates in the ProxySG.  In the Management Console, go to the CA Certificates tab, select Configuration > SSL > CA Certificates
  2.  Click Import.  Name the CA certificate and paste in the contents of the authentication.cer file and click OK and then Apply
Note: the ProxySG will order the CA Certificates in alphabetical order, however lower case names are appended to the end of the list making them easier to find
 
User-added image
 
  1. Repeat this procedure to import the Root CA 
  2. You should now have two new CA certificates in the list
User-added image
  1. Next we will add the Root CA, and ProxySG authentication certificates as browser trusted CAs.  Select CA Certificate Lists tab at the top.
  2. Then select browser-trusted and click Edit.
  3. Select the newly added Root CA certificate and ProxySG authentication certificate on the left and click Add to move it to the right column. Click OK and then Apply.
User-added image

Step 5 Create a new Service and Listener to intercept the redirected authentication requests

  1. Select Configuration Services > Proxy Services > Standard > New Service.
  2. Give the new service a meaningful name, in this example MadlabAuthentication
  3. Under Proxy Settings, change the Proxy to HTTPS Reverse Proxy
  4. For Keyring select the Authentication-KR created earlier
  5. Under Listeners click on New
  6. Change the Destination to ALL and change the port to 4443 (or any other port of your choosing as long as it doesn't conflict with a preexisting port)
  7. Click on OK then OK again and Apply
User-added image
  1. (Optional)  If you use a TCP-tunnel service on port 443 in transparent mode instead of the SSL service, enable protocol detection on the TCP-tunnel service.  (Configuration > Services > Proxy Services)

 

Step 6 Configure the authentication realm to use the virtual URL

Assuming that the Authentication Realm on the ProxySG or ASG exists, add the virtual URL

  1. Click on Configuration Authentication > IWA > IWA General
  2. In Virtual URL enter https://:4443
Note: that the protocol is HTTPS and the port number is 4443 (or the port you assigned the listener created above).
Also note that the proxy name must match the name used in the Common Name field of the authentication certificate created above and this name must be resolvable by the client, in our example we are using https://es-bar-sg1:4443
 
User-added image

Step 7 Add policy to enable authentication

  1. Click on Configuration > Policy > Visual Policy Manager > Launch
  2. In Visual Policy Manger create a new Authentication Layer
  3. Click on Policy > Add Web Authentication Layer
  4. Give the Layer a meaningful Name then click OK
  5. In the Action column right click None and select Set
  6. Click on New, give the object a meaningful name, make sure the correct realm is selected then select an appropriate redirect mode, either Origin IP Redirect or Origin Cookie Redirect, finally click OK till the dialog box closes and apply the policy.
User-added image
 

Step 8 Verify that users are being authenticated

To confirm that users are logging in correctly from the management console go to Statistics > Authentication select the appropriate realm or leave it blank and then click on either “Display by user” or “Display by IP” and you should see the users that have authenticated.
 

User-added image

Attachments