search cancel

Configuring authentication redirects to an HTTPS virtual URL

book

Article ID: 174383

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

You would like to configure an HTTPS virtual URL for an authentication redirect.

Resolution

  1. Specify the virtual URL in the General tab of your authentication realm. For example, Configuration>Authentication>IWA>IWA General

    The format should be https://virtualurl:port where,
    • virtualurl can be resolved to the proxy by client machines
    • port is some non-standard port such as 4433
       
  2. Get a certificate the proxy will provide in the SSL handshake. This can be from a Public CA or your internal PKI. The certificate requirements include:
    • Subject field contains CN attribute of the the virtual url, like CN=virtualurl
    • Subject Alternative Name field contains DNSName attribute, like DNSName=virtualurl
    • Signature Algorithm is stronger than SHA1
    • If Basic Constraints field is present, it must contain the attribute Subject Type with value End Entity, like Subject Type=End Entity
    • URLs specified in the CRL Distribution Points should be reachable by the client machines and the proxy
    • The private key and certificate need to be in PEM format for import into the proxy. If you have pfx file in PKCS12 format, you can use OpenSSL to extract the private key and certificate. See https://support.symantec.com/en_US/article.TECH242088.html for more details.
       
  3. Create a keyring and import the certificate.
    • Configuration>SSL>Keyrings
    • Create
      • Give it a name
      • Show or hide the keypair on the proxy. Hidden is more secure but it can not be exported in the future if you lose the private key.
      • Select import existing private key
      • Copy the PEM formatted private key
      • If it is password protected, enter the key password. If you exported it using OpenSSL, it is the password you were asked to set when exporting the key.
      • Click OK
      • Apply
    • Edit
      • Under Certificate, click Import
      • Paste the PEM format of the certificate in the dialog then click OK
      • Close
      • Apply
         
  4. Configure a reverse proxy service with a listener on the port you selected in step (1)
    • Navigate to Configuration>Proxy Services
    • Click New Service
    • Select Proxy as HTTPS Reverse Proxy
    • Select the Keyring as the one you created in step (3)
    • Under Listeners, select New
    • In the dialog, enter the port from step (1). Destination should be Explicit and the Action as Intercept
    • Click OK
    • Click OK
    • Click Apply
       
  5. The authentication realm is now set up and *-*-redirect modes can now be selected in policy in your authentcation rules.