Adding Certificate based Authentication to the Intranet website
The current intranet website configuration through Web Reverse Proxy on Unified Access Gateway is open to anybody to access, we can restrict access to the intranet website to some users adding device certificate as the authentication method on the Unified Access Gateway appliance.
Adding certificate as authentication method will restrict access to the intranet site for only those users who have a certificate installed on their device. The user certificate must match the root certificate set on the Unified Access Gateway appliance.
1. Enabling X.509 Certificate Settings
Return to the UAG Admin on your Google Chrome browser.
- Click on Show for the Authentication Settings
- Click the Gear icon next to X.509 Certificate
1.1. Uploading Certificate into Unified Access Gateway Appliance
- Click NO to enable X.509 Certificate, that will show additional options and switch to YES
- Click Select to upload the Root and Intermediate CA Certificates
- Enter
C:\AW Toolsfor the path and pressENTER. - Click on the combo box and select All Files
- Select root-corplocal.pem
- Click Open
- Click Save
After Save you will see a message "Configuration saved successfully", the certificate has been uploaded and added to the UAG Appliance certificate store.
NOTE: Since this lab implements only a root CA and NOT a subordinate, we will be using only the ROOT certificate during the authentication process. In a real word scenario customers will have ROOT and INTERMEDIATE certificate available, and you MUST upload both to the UAG Appliance.
2. Enabling Certificate Authentication for Intranet Web Site
The next steps is to tell UAG that in order to access the Intranet website through UAG, a certificate authentication will be required, meaning that the client device must have a user certificate that matches to the root certificate upload to the Appliance.
Select the Gear icon for the Reverse Proxy Settings
2.1. Edit the Intranet Reverse Proxy Settings
Select the Gear icon for the intranet Instance
2.2. Configuring Intranet Reverse Proxy Settings
Click in More
2.3. Configure the Authentication Method
- Set certificate-auth as Authentication Method
- Click Save
2.4. Close the Reverse Proxy Settings
Click Close
3. Importing the User Certificate to the local Windows Store
- On Google Chrome Browser click on the three dots next to the URL address bar
- Click on Settings
3.1. Access the Certificate Settings
- Enter
Certificateon Search Settings - Click on Manage certificates
3.2. Choose Import Certificate
Click on Import under Personal Tab
3.3. Start the Certificate Import Wizard
Click Next
3.4. Choose the User Certificate
- Click Browse.
- Enter
C:\AW Toolsfor the path and pressENTER. - Click on the combo box and select Personal Information Exchange (*.pfx).
- Select user-corplocal.pfx. This is the user certificate that matches the root certificate previous uploaded to the the UAG Appliance.
- Click Open.
- Click Next.
3.5. Enter the User Certificate Password
- Set the Password to
VMware1! - Click Next
3.6. Choose the Personal Certificate Store
Click Next
The certificate will be imported to the Personal Store.
3.7. Complete the Certificate Import Wizard
Click Finish
3.8. Confirm Certificate was Imported
Click OK the list of certificates will be refreshed and the user certificate will be listed as part of the Personal Store
This step only imported the User Certificate, not the ROOT yet.
3.9. Importing the Root Certificate to the local Windows Store
Now, it's time to import the ROOT certificate to complete the client side configuration.
- Click on Trusted Root Certification Authorities
- Click Import
3.10. Start the Certificate Import Wizard
Click Next
3.11. Choose the Root Certificate
- Click Browse.
- Enter
C:\AW Toolsfor the path and pressENTER. - Click on the combo box and select All Files (*.*).
- Select root-corplocal.pem - This is the root certificate that was uploaded to the the UAG Appliance.
- Click Open.
- Click Next.
3.12. Place the Root Certificate in the Trusted Root Certification Authorities Store
Click Next to confirm that you want to import the certificate under the Trusted Root Certification Authorities Store
3.13. Complete the Certificate Import Wizard
Click Finish
3.14. Confirm the Certificate Warning and Install (IF PROMPTED)
Click Yes to confirm the installation of the certificate.
3.15. Confirm the Certificate was Imported
Click OK
3.16. Confirm the Root Certificate is listed
- Confirm that you can see the certificate corp-CONTROLCENTER on the Certificate list, which is the ROOT certificate.
- Click Close
4. Testing the Certificate authentication
- On Google Chrome Browser click on the three dots next to the URL address bar
- Click on New incognito window
4.1. Navigate to the Intranet Site
Enter https://uag.airwlab.com/intranet/ and press ENTER.
4.2. Select the User Certificate
All the certificates available on the Personal Store that matches the root certificates installed on the UAG Appliance, will show up on the certificate list. Since we only uploaded one root certificate for the domain intranet.corp.local, and there is only one certificate on the key store that matches this root, you only see one.
- Select the Certificate
- Click OK
4.3. Confirm Certificate Authentication was Successful
As result, you will see the intranet page, which now can only be accessible from external network for those users that has the correct certificate.
Click Close.
0 Comments
Add your comment