Management Center mutual TLS communication with Edge SWG (ProxySG)

Products

Management Center - VA ProxySG Software - SGOS

Issue/Introduction

The Edge SWG (ProxySG) supports mutual SSL authentication for access to its management console service. When enabled, clients are required to send a client certificate to connect successfully.

Management Center requires communication to the Edge SWG (ProxySG) HTTPS-Console management service on TCP port 8082 for access to various Edge SWG (ProxySG) Admin Console webpages.

If not configured correctly, one of the following error pages may be encountered while navigating the Edge SWG (ProxySG) Admin Console.

An unspecified problem has occurred.
The system has returned a 502 status code.

Management Center failed to connect to the device's web console: SOCKET_ERROR

An unspecified problem has occurred.
The system has returned a 500 status code.

An error occurred while contacting the device

Resolution

To configure the solutions to communicate successfully using mutual TLS, follow the instructions below.

Warning Enabling mutual TLS on the Edge SWG (ProxySG) will require a client certificate from all clients to access the Management Console, including your web browser.

Obtain a client certificate from your internal issuing certificate authority to identify the Management Center appliance.

Note The certificate should include the Extended Key Usage extension with the Client Auth property.

Note You will need the certificate and associated private key in PEM format.
Save a copy of the issuing certificate in PEM format.
Note The private key is not required for the issuing certificate.

Configure Management Center

Create a keyring with the certificate and associated private key.

Note Ensure there is a new line character after -----END CERTIFICATE----- before pressing Ctrl-D.

ssl
inline keyring MC_Client_Certificate showable yes
-----BEGIN RSA PRIVATE KEY-----
<key content>
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
<certificate content>
-----END CERTIFICATE-----
<Ctrl-D>
exit

Create an SSL Context.

ssl
create ssl-context Internal_SSL
exit

Set the keyring on the SSL Context.

ssl
edit ssl-context Internal_SSL
keyring MC_Client_Certificate
exit
exit

(Optional) Set other properties of the SSL Context as appropriate.

To trust the Edge SWG (ProxySG)'s server certificate, follow the steps below:
1. Install the issuing certificate. Depending on the environment, this may be different than the issuing certificate of the MC client certificate.
```
ssl
inline ca-certificate Proxy_Issuing_CA
-----BEGIN CERTIFICATE-----
<certificate contents>
-----END CERTIFICATE-----
<Ctrl-D>
exit
```
2. Create a CA Certificate List (CCL).
```
ssl
create ccl Internal_CA_List
exit
```
3. Add the issuing certificate to the CCL.
```
ssl
edit ccl Internal_CA_List
add Proxy_Issuing_CA
exit
exit
```
4. Set the CCL on the SSL Context.
```
ssl
edit ssl-context Internal_SSL
ccl Internal_CA_List
exit
exit
```
Set the SSL Context for each device or as the global default.
Specific Device
1. Edit a device under the Network tab.
2. Navigate to the Connection Parameters and set the SSL Context Override.
3. Save the device settings.
Global Default
1. In the Management Center admin console, navigate to Administration > Device Communications
2. Select the SSL Context from the dropdown.
3. Save and Activate the settings.

.

Configure the Edge SWG (ProxySG)

Import the issuing certificate on the Edge SWG (ProxySG).

ssl
inline ca-certificate Internal_Issuing_CA eof
-----BEGIN CERTIFICATE-----
<certificate contents>
-----END CERTIFICATE-----
eof
exit

Create a CA Certificate List (CCL) on the Edge SWG (ProxySG).
```
ssl
create ccl Internal_CA_List
exit
```

Add the issuing certificate to the CCL.

ssl
edit ccl Internal_CA_List
add Internal_Issuing_CA
exit
exit

Set the CCL on the HTTPS-Console management service.

ssl
edit ccl Internal_CA_List
add Internal_Issuing_CA
exit
exit

Enable the Verify Client setting on the HTTPS-Console management service.

management-services
edit HTTPS-Console
attribute verify-client enable
exit
exit