How to configure Client side certificate authentication for authorization-only access / Active Sync URL s Juniper Networks, Inc.
Overview: Authorization-only access is similar to a reverse proxy. Typically, a reverse proxy is a proxy server that is installed in front of web servers. All connections coming from the Internet addressed to one of the web servers are routed through the proxy server, which may either deal with the request itself or pass the request wholly or partially to the main web server. Refer to latest IVE OS admin guide under the section Configuring Sign-In Policies for more details. On IVE OS 7.0 and above we now have the ability to check for valid client side certificates before allowing access to authorization only access resource. Why Advantages of this feature? With the ability to check for valid client side certificates IVE is now not only acting as a reverse proxy to the desired resource but also ensuring that access to these resource is only if the user has a valid client certificate that is issued by an IVE Trusted client CA. Configuration details: Step 1: Authorization only access configuration: a) Create a new authorization only sign-in policy. Juniper Networks, Inc. 1
b) Provide a virtual host name (e.g. ivetest.com) that end users will use in order to access the protected (authorization) only URL. c) Enter the backend resource URL (e.g. https://outlook.lab.net); select a role that will be applied to users who use this access mechanism. Save changes. Step 2: Certificate enforcement configuration: d) On the SA goto configuration -> Security ->SSL Options e) Scroll down to the setting Require client certificate on these ports f) Select the port that this setting is to be applied g) In our example we have selected an external virtual port (e.g. ext-vp). Save changes Note: We have not selected the option Enable client certificate on the external port. This means that if an access request to the URL arrives on the external port, the request will be declined by the SA device. SA device will only accept traffic to URL (https://ivetest.com) on the external virtual port. In the above example ensure that https://ivetest.com resolves to the external virtual port IP address of the SA device. Juniper Networks, Inc. 2
Step 3: Role level configuration: h) Goto the role that is applied to this sign-in policy (e.g. Users role). Navigate to Users -> General - > Restrictions -> Certificate. Note: The above step #h is critical for certificate enforcement, without which we may see unexpected behaviors with respect to resource access. i) Select the option Only allow users with a client-side certificate. as shown in the above screenshot. Save changes. j) Goto configuration -> certificates -> Trusted Client CAs and import the client CA certificate which has issued the end user client certificates. Juniper Networks, Inc. 3
When end users try to access the URL https://ivetest.com the external DNS resolution will resolve to the external virtual port IP address. This will trigger the client cert check on client computer as in below screenshot. If a client certificate is found which was issued by the CA that is trusted by the SA device (eg., SSLVPNDC08-CA) then users can select the cert and continue accessing the resource. For our scenario if the DNS resolution is towards the external interface IP then access will be denied and a page cannot be displayed message will be displayed. This is by design. Juniper Networks, Inc. 4