Configuring authentication redirects to an HTTPS virtual URL
Article ID: 174383
ProxySG Software - SGOS
You would like to configure an HTTPS virtual URL for an authentication redirect.
Specify the virtual URL in the General tab of your authentication realm. For example, Configuration>Authentication>IWA>IWA General
The format should be https://virtualurl:port where,
virtualurl can be resolved to the proxy by client machines
port is some non-standard port such as 4433
Get a certificate the proxy will provide in the SSL handshake. This can be from a Public CA or your internal PKI. The certificate requirements include:
Subject field contains CN attribute of the the virtual url, like CN=virtualurl
Subject Alternative Name field contains DNSName attribute, like DNSName=virtualurl
Signature Algorithm is stronger than SHA1
If Basic Constraints field is present, it must contain the attribute Subject Type with value End Entity, like Subject Type=End Entity
URLs specified in the CRL Distribution Points should be reachable by the client machines and the proxy
The private key and certificate need to be in PEM format for import into the proxy. If you have pfx file in PKCS12 format, you can use OpenSSL to extract the private key and certificate. See https://support.symantec.com/en_US/article.TECH242088.html for more details.
Create a keyring and import the certificate.
Give it a name
Show or hide the keypair on the proxy. Hidden is more secure but it can not be exported in the future if you lose the private key.
Select import existing private key
Copy the PEM formatted private key
If it is password protected, enter the key password. If you exported it using OpenSSL, it is the password you were asked to set when exporting the key.
Under Certificate, click Import
Paste the PEM format of the certificate in the dialog then click OK
Configure a reverse proxy service with a listener on the port you selected in step (1)
Navigate to Configuration>Proxy Services
Click New Service
Select Proxy as HTTPS Reverse Proxy
Select the Keyring as the one you created in step (3)
Under Listeners, select New
In the dialog, enter the port from step (1). Destination should be Explicit and the Action as Intercept
The authentication realm is now set up and *-*-redirect modes can now be selected in policy in your authentcation rules.