Configure transparent authentication using a virtual HTTPS URL with SSL certificate issued from a Microsoft PKI server on ProxySG or Advanced Secure Gateway
search cancel

Configure transparent authentication using a virtual HTTPS URL with SSL certificate issued from a Microsoft PKI server on ProxySG or Advanced Secure Gateway

book

Article ID: 168798

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

Configuring a transparent EdgeSWG or Advanced Secure Gateway (ASG) to successfully authenticate users using a HTTPS based virtual URL.

 

Environment

  • The organization's Root CA certificate is already deployed as a Trusted CA certificate in the browsers.
  • SSL traffic is being intercepted; if this is not the case and the first site a user visits happen to be https based, then they will get an error.

see Failure to authenticate a tunneled SSL request

  • Authentication Realm is configured
  • Windows 2019 Standard Enterprise PKI was used to generate a certificate.

Resolution

The high level steps to configuring a transparent EdgeSWG or Advanced Secure Gateway (ASG) to successfully authenticate users using a HTTPS based virtual URL are:

  1. Ensure that the EdgeSWG or ASG has the time and date set up correctly.
  2. Create the keyring on the EdgeSWG or ASG

  3. Create a certificate on the Microsoft PKI server

  4. Import the certificate to the EdgeSWG or ASG

  5. Create a new Service and Listener to intercept the redirected authentication requests.

  6. Configure the authentication realm to use the virtual URL

  7. Add policy to enable authentication

  8. Verify that users are being authenticated

Step 1 Ensure that the EdgeSWG or ASG has time and date set up correctly.

The recommendation is to set up the EdgeSWG to get its time from a reputable and reliable time source.

  1. To review your NTP settings on the EdgeSWG, please log in to the Management Console (https://proxy.address:8082/) and select Administration > General > Time
Note: any discrepancies between the date and time in certificates created by the EdgeSWG and the actual time can cause unexpected behavior, as such it is important that the time on the EdgeSWG be set up correctly before proceeding.

 
 

Step 2 Create the keyring on the EdgeSWG or ASG

  1. Select Configuration > SSL Keyrings.  Click on Add Keyring to create a new keyring for the EdgeSWG.
  2. Give the keyring a meaningful name, in this example we will use Authentication-KR.
  3. Select Allow The Key To Be Viewed And Exported.
  4. Select Generate New
  5. Set the size as required, the default is 2048 bits. 
  6. Click Apply, then Save. . ., then Save Changes, then Close to save your changes.
  1. Now click on the keyring just created or click Edit on the right.
  2. Click Create under Certificate Signing Request at the bottom.
  3. Fill in appropriate information into the request.
Note: When filling out this CSR it is important to make sure that the Common Name or Subject Alternative Name matches the redirect URL name (or DNS name) of the EdgeSWG, otherwise the web browser will return a warning that it does not trust the certificate. 
  1. Click Apply, then Apply, then Save. . ., then Save Changes, then Close
  1. Edit the Keyring. At the bottom you will now see a certificate signing request (CSR).  Copy this text to the clipboard manually or click on the Copy to clipboard button.
  1. Save the CSR that you copied to the clipboard to a text file and give it a meaningful name such as authentication.csr.

Step 3 Create a certificate on the Microsoft PKI server

  1. Login to your Microsoft Active Directory Certificate Services server
  2. Click Request a certificate
  1. Click on Advance certificate request
  1. Paste the CSR into the Base-64-encoded certificate request *CMC or PKCS#10 or PKCS#7) dialog box.
  2. Select Web Server in Certificate Template then click on Submit
Note: If you do not select the Web Server template you may find that some browsers will not accept the emulated certificate from the EdgeSWG and the user will get an untrusted warning exception.

  1. Select Base 64 encoded then click on Download certificate
Note: when you download the certificate, it will be named certnew.cer. Make sure to rename this to something meaningful, in this example it is authentication.cer
 
  1. If you've already imported your root servers CA you can skip steps 8 through 11
  2. Click Home in the top right corner of the page.
  3. Click Download a CA certificate, certificate chain, or CRL
  4. Select the appropriate CA Certificate from the list at the top, select Base 64 as the encoding method and click Download CA certificate.
  5. Again make sure to rename the CA certificate to something meaningful in this example it is madlab CA certificate.csr

Step 4 Import the certificate to the EdgeSWG or ASG

  1. In the Management Console on the EdgeSWG, select Configuration > SSL Keyrings.  Select the Authentication-KR created earlier and click Edit.
  2. Open the authentication.cer file in a text editor and copy the contents to the clipboard
  3. Click Paste From Clipboard (or click in the box and press your hotkey(s) for paste
  4. Click Apply, then Save. . . then Save Changes, then Close.
Note: if you happen to import the contents of the wrong certificate into this dialog box, when you click apply, you will see the box highlighted in red, as well as red text saying "Bad Certificate"
  1. Add the Root CA, (if it hasn't already been added) madlab Root CA (certificate.cer), and the EdgeSWG CA certificate (authentication.cer) to the list of CA certificates in the EdgeSWG.  In the Management Console, go to the CA Certificates tab, select Configuration > SSL > CA Certificates
  2.  Click Import.  Name the CA certificate and paste in the contents of the authentication.cer file and click OK and then Apply
Note: the EdgeSWG will order the CA Certificates in alphabetical order, however lower case names are appended to the end of the list making them easier to find 
  1. Repeat this procedure to import the Root CA 
  2. You should now have your new CA certificates in the list
  3. Next we will add the Root CA, and EdgeSWG authentication certificates as browser trusted CAs.  Select browser-trusted from the CA Certificate Lists section.
  4. Click on Select Certificates, then make sure to  Select the newly added Root CA certificate and EdgeSWG authentication certificate on the list and click Select then Apply then Save . . . then Save Changes then Close.
 

Step 5 Create a new Service and Listener to intercept the redirected authentication requests

  1. Select Configuration Services, under Proxy Services click + Add Service.
  2. Give the new service a meaningful name, in this example MadlabAuthentication
  3. Under Proxy Settings, change the Proxy to HTTPS Reverse Proxy
  4. For Keyring select the Authentication-KR created earlier



  5. Under Listeners click on New
  6. Change the Destination to ALL and change the port to 4443 (or any other port of your choosing as long as it doesn't conflict with a preexisting port)
  7. Click on Add then Apply then Save. . . then Save Changes then Close.
  8. (Optional)  If you use a TCP-tunnel service on port 443 in transparent mode instead of the SSL service, enable protocol detection on the TCP-tunnel service.  (Configuration > Services > Proxy Services)

 

Step 6 Configure the authentication realm to use the virtual URL

Assuming that the Authentication Realm on the EdgeSWG or ASG exists, add the virtual URL

  1. Click on Configuration Authentication > Realms and Domains
  2. Edit your realm
  3. In Virtual URL enter https://proxy1.example.com:4443
  4. Press Apply then Save. . . then Save Changes then Close
Note: that the protocol is HTTPS and the port number is 4443 (or the port you assigned the listener created above).
Also note that the proxy name must match the name used in the Common Name field of the authentication certificate created above and this name must be resolvable by the client, in our example we are using https://proxy1.example.com:4443
 
 

Step 7 Add policy to enable authentication

  1. Click on Visual Policy Manager
  2. In Visual Policy Manger create a new Authentication Layer
  3. Click on Policy > Add Web Authentication Layer
  4. Give the Layer a meaningful Name then click OK
  5. In the Action column click None and select Set
  6. Click on Add a new object, Select Authenticate give the object a meaningful name, make sure the correct realm is selected then select an appropriate redirect mode, either Origin IP Redirect or Origin Cookie Redirect, finally click Apply then Set then Apply Policy then OK
 

Step 8 Verify that users are being authenticated

To confirm that users are logging in correctly from the management console go to Dashboards > Advanced URLs Authentication then click on either “Display by user” or “Display by IP” and you should see the users that have authenticated.