Add Certificate Authentication to the Intranet website
The current intranet website configuration through Reverse Proxy on the Unified Access Gateway is open to anyone to access. You can restrict access to the intranet website to certain users by configuing a device certificate as the authentication method on the Unified Access Gateway Appliance.
Adding certificate as authentication method will restrict access to the intranet site for only those users who have a certificate installed on their device. The user certificate must match the root certificate set on the Unified Access Gateway appliance.
1. Enabling the X.509 Certificate Settings
- Click Close for the Intranet site tab that you opened for https://uag-internet.corp.local/intranet/.
- Click the Unified Access Gateway Admin UI tab.
- Click on Show for the Authentication Settings.
- Click the Gear icon next to X.509 Certificate.
1.1. Uploading Certificate into Unified Access Gateway Appliance
- Click NO to enable X.509 Certificate. This will reveal additional configuration options and switch to YES, indicating it is enabled.
- Click Select to upload the Root and Intermediate CA Certificates.
1.2. Select the Root CA Certificate
- Click Local Disk (C:).
- Click hol.
- Click SSL.
- Click CA-Certificate.cer.
- Click Open.
NOTE: Since this lab only implements a root CA and NOT a subordinate, we will be using only the ROOT certificate during the authentication process. In a real word scenario, you would have ROOT and INTERMEDIATE certificate available, and you must upload both to the Unified Access Gateway Appliance.
1.3. Save the X.509 Certificate Authentication Changes
After saving, you will see a message that says "Configuration is saved successfully". Once this displays, the certificate has been uploaded and added to the Unified Access Gateway Appliance certificate store.
2. Enabling Certificate Authentication for Intranet Web Site
Select the Gear icon for the Reverse Proxy Settings.
The next steps is to tell the Unified Access Gateway that certificate authentication will be required in order to access the Intranet website through the Reverse Proxy. This means that the client device must have a user certificate that matches to the root certificate upload to the Unified Access Gateway Appliance.
2.1. Edit the Intranet Reverse Proxy Settings
Select the Gear icon for the intranet Instance
2.2. Configuring Intranet Reverse Proxy Settings
2.3. Configure the Authentication Method
Select X.509 Certificate for the Authentication Method.
2.4. Save the Reverse Proxy Settings
- Scroll down to the bottom of the Reverse Proxy Settings window.
- Click Save.
2.5. Close the Reverse Proxy Settings
3. Importing the User Certificate to the local Windows Store
- On Google Chrome Browser click the Options button.
- Click on Settings.
3.1. Access the Certificate Settings
Manage Certificatesin the search bar.
- Click on Manage Certificates.
3.2. Choose Import Certificate
- Click the Personal tab.
- Click Import.
3.3. Start the Certificate Import Wizard
3.4. Browse for the User Certificate
3.5. Select the User Certificate
- Click Documents.
- Click HOL.
- Click Unified Access Gateway.
- Select All Files (*.*) for the filter.
- Click corp_local_wildcard.pfx.
- Click Open.
NOTE: For the purposes of this exercise, any certificate that is trusted by the ROOT certificate you uploaded earlier will be sufficient.
3.6. Continue the Certificate Import Wizard
3.7. Enter the User Certificate Password
- Set the Password to
- Click Next
3.8. Select the Personal Certificate Store
- The Personal Certificate Store will be pre-selected since you choose to upload a Personal certificate. Do not modify these settings.
- Click Next.
3.9. Complete the Certificate Import Wizard
3.10. Confirm Certificate was Imported
- Click OK to confirm the import was successful.
- The list of certificates will be refreshed and the *.corp.local certificate will be listed as part of the Personal Store.
- Click Close.
Normally, you would need to add both the Personal and the Trusted Root Certificate. However, the Trusted Root Certificate for this infrastructure has already been added, and you will not need to manually included it.
NOTE: Should you wish to view it, you can navigate to the Trusted Root Certification Authorities tab in the Certificates window to find the CONTROLCENTER-CA certificate.
4. Testing the Certificate Authentication
- In Google Chrome, click Options.
- Click New incognito window.
4.1. Navigate to the Intranet Site
- Select the *.corp.local certificate.
- Click OK.
You are seeing this prompt because Certificate Authentication is required to visit the intranet site now. Selecting the intranet.corp.local certificate is choosing to present this user certificate to access the intranet site.
4.2. Confirm Certificate Authentication was Successful
As result, you will see the intranet page which can now only be accessible from the external network for users that present the correct user certificate.
4.3. Close the Chrome Settings Tab
- Click Close on the Chrome Settings tab
- Navigate back to the UAG admin console tab at
https://uag-intranet.corp.local:9443/adminfor the next steps