Adding Certificate based Authentication to the Intranet website

The current intranet website configuration through Web Reverse Proxy on Unified Access Gateway is open to anybody to access, we can restrict access to the intranet website to some users adding device certificate as the authentication method on the Unified Access Gateway appliance.

Adding certificate as authentication method will restrict access to the intranet site for only those users who have a certificate installed on their device. The user certificate must match the root certificate set on the Unified Access Gateway appliance.

1. Enabling X.509 Certificate Settings

Acessing Reverse Proxy Settings

Return to the UAG Admin on your Google Chrome browser.

  1. Click on Show for the Authentication Settings
  2. Click the Gear icon next to X.509 Certificate

1.1. Uploading Certificate into Unified Access Gateway Appliance

Access the instance configuration
  1. Click NO to enable X.509 Certificate, that will show additional options and switch to YES
  2. Click Select to upload the Root and Intermediate CA Certificates
  3. Enter C:\AW Tools for the path and press ENTER.
  4. Click on the combo box and select All Files
  5. Select root-corplocal.pem
  6. Click Open
  7. Click Save

After Save you will see a message "Configuration saved successfully", the certificate has been uploaded and added to the UAG Appliance certificate store.

NOTE: Since this lab implements only a root CA and NOT a subordinate, we will be using only the ROOT certificate during the authentication process. In a real word scenario customers will have ROOT and INTERMEDIATE certificate available, and you MUST upload both to the UAG Appliance.

2. Enabling Certificate Authentication for Intranet Web Site

Open Intranet settings

The next steps is to tell UAG that in order to access the Intranet website through UAG, a certificate authentication will be required, meaning that the client device must have a user certificate that matches to the root certificate upload to the Appliance.

Select the Gear icon for the Reverse Proxy Settings

2.1. Edit the Intranet Reverse Proxy Settings

Configuration saved sucessfully

Select the Gear icon for the intranet Instance

2.2. Configuring Intranet Reverse Proxy Settings

Configuring Intranet settings for Reverse Proxy

Click in More

2.3. Configure the Authentication Method

Set Auth Method
  1. Set certificate-auth as Authentication Method
  2. Click Save

2.4. Close the Reverse Proxy Settings

Configuration saved sucessfully

Click Close

3. Importing the User Certificate to the local Windows Store

Open Chrome Settings
  1. On Google Chrome Browser click on the three dots next to the URL address bar
  2. Click on Settings

3.1. Access the Certificate Settings

Access to Certificate Settings
  1. Enter Certificate on Search Settings
  2. Click on Manage certificates

3.2. Choose Import Certificate

Start Import of certificate

Click on Import under Personal Tab

3.3. Start the Certificate Import Wizard

Click Next

Click Next

 

3.4. Choose the User Certificate

Select the User Certificate
  1. Click Browse.
  2. Enter C:\AW Tools for the path and press ENTER.
  3. Click on the combo box and select Personal Information Exchange (*.pfx).
  4. Select user-corplocal.pfx. This is the user certificate that matches the root certificate previous uploaded to the the UAG Appliance.
  5. Click Open.
  6. Click Next.

3.5. Enter the User Certificate Password

Provide Password
  1. Set the Password to VMware1!
  2. Click Next

3.6. Choose the Personal Certificate Store

Certificate Imported

Click Next

The certificate will be imported to the Personal Store.

3.7. Complete the Certificate Import Wizard

Finish

Click Finish

3.8. Confirm Certificate was Imported

Certificate imported

Click OK the list of certificates will be refreshed and the user certificate will be listed as part of the Personal Store

This step only imported the User Certificate, not the ROOT yet.

3.9. Importing the Root Certificate to the local Windows Store

Import Trusted Root

Now, it's time to import the ROOT certificate to complete the client side configuration.

  1. Click on Trusted Root Certification Authorities
  2. Click Import

3.10. Start the Certificate Import Wizard

Next

Click Next

3.11. Choose the Root Certificate

Importing the root certificate
  1. Click Browse.
  2. Enter C:\AW Tools for the path and press ENTER.
  3. Click on the combo box and select All Files (*.*).
  4. Select root-corplocal.pem - This is the root certificate that was uploaded to the the UAG Appliance.
  5. Click Open.
  6. Click Next.

3.12. Place the Root Certificate in the Trusted Root Certification Authorities Store

Confirm

Click Next to confirm that you want to import the certificate under the Trusted Root Certification Authorities Store

3.13. Complete the Certificate Import Wizard

Finish

Click Finish

3.14. Confirm the Certificate Warning and Install (IF PROMPTED)

Confirm

Click Yes to confirm the installation of the certificate.

3.15. Confirm the Certificate was Imported

Import successful

Click OK

3.16. Confirm the Root Certificate is listed

Certificate imported
  1. Confirm that you can see the certificate corp-CONTROLCENTER on the Certificate list, which is the ROOT certificate.
  2. Click Close

4. Testing the Certificate authentication

Opening incognito window
  1. On Google Chrome Browser click on the three dots next to the URL address bar
  2. Click on New incognito window
Accessing the intranet

Enter https://uag.airwlab.com/intranet/ and press ENTER.

4.2. Select the User Certificate

Select the certificate

All the certificates available on the Personal Store that matches the root certificates installed on the UAG Appliance, will show up on the certificate list. Since we only uploaded one root certificate for the domain intranet.corp.local, and there is only one certificate on the key store that matches this root, you only see one.

  1. Select the Certificate
  2. Click OK

 

4.3. Confirm Certificate Authentication was Successful

Intranet

As result, you will see the intranet page, which now can only be accessible from external network for those users that has the correct certificate.

Click Close.

0 Comments

Add your comment

E-Mail me when someone replies to this comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.