Add Certificate Authentication to the Intranet website

The current intranet website configuration through Reverse Proxy on the Unified Access Gateway is open to anyone to access.  You can restrict access to the intranet website to certain users by configuing a device certificate as the authentication method on the Unified Access Gateway Appliance.

Adding certificate as authentication method will restrict access to the intranet site for only those users who have a certificate installed on their device. The user certificate must match the root certificate set on the Unified Access Gateway appliance.

1. Enabling the X.509 Certificate Settings

Acessing Reverse Proxy Settings
  1. Click Close for the Intranet site tab that you opened for https://uag-internet.corp.local/intranet/.
  2. Click the Unified Access Gateway Admin UI tab.
  3. Click on Show for the Authentication Settings.
  4. Click the Gear icon next to X.509 Certificate.

1.1. Uploading Certificate into Unified Access Gateway Appliance

Access the instance configuration
  1. Click NO to enable X.509 Certificate. This will reveal additional configuration options and switch to YES, indicating it is enabled.
  2. Click Select to upload the Root and Intermediate CA Certificates.

 

1.2. Select the Root CA Certificate

  1. Click Local Disk (C:).
  2. Click hol.
  3. Click SSL.
  4. Click CA-Certificate.cer.
  5. Click Open.

NOTE: Since this lab only implements a root CA and NOT a subordinate, we will be using only the ROOT certificate during the authentication process. In a real word scenario, you would have ROOT and INTERMEDIATE certificate available, and you must upload both to the Unified Access Gateway Appliance.

1.3. Save the X.509 Certificate Authentication Changes

Click Save.

After saving, you will see a message that says "Configuration is saved successfully". Once this displays, the certificate has been uploaded and added to the Unified Access Gateway Appliance certificate store.

2. Enabling Certificate Authentication for Intranet Web Site

Open Intranet settings

Select the Gear icon for the Reverse Proxy Settings.

The next steps is to tell the Unified Access Gateway that certificate authentication will be required in order to access the Intranet website through the Reverse Proxy. This means that the client device must have a user certificate that matches to the root certificate upload to the Unified Access Gateway Appliance.

2.1. Edit the Intranet Reverse Proxy Settings

Configuration saved sucessfully

Select the Gear icon for the intranet Instance

2.2. Configuring Intranet Reverse Proxy Settings

Configuring Intranet settings for Reverse Proxy

Click More.

2.3. Configure the Authentication Method

Set Auth Method

Select X.509 Certificate for the Authentication Method.

2.4. Save the Reverse Proxy Settings

  1. Scroll down to the bottom of the Reverse Proxy Settings window.
  2. Click Save.

2.5. Close the Reverse Proxy Settings

Configuration saved sucessfully

Click Close.

3. Importing the User Certificate to the local Windows Store

Open Chrome Settings
  1. On Google Chrome Browser click the Options button.
  2. Click on Settings.

3.1. Access the Certificate Settings

Access to Certificate Settings
  1. Enter Manage Certificates in the search bar.
  2. Click on Manage Certificates.

3.2. Choose Import Certificate

Start Import of certificate
  1. Click the Personal tab.
  2. Click Import.

3.3. Start the Certificate Import Wizard

Click Next

Click Next.

 

3.4. Browse for the User Certificate

Select the User Certificate

Click Browse.

3.5. Select the User Certificate

  1. Click Documents.
  2. Click HOL.
  3. Click Unified Access Gateway.
  4. Select All Files (*.*) for the filter.
  5. Click corp_local_wildcard.pfx.
  6. Click Open.

NOTE: For the purposes of this exercise, any certificate that is trusted by the ROOT certificate you uploaded earlier will be sufficient.

3.6. Continue the Certificate Import Wizard

Click Next

3.7. Enter the User Certificate Password

Provide Password
  1. Set the Password to VMware1!
  2. Click Next

3.8. Select the Personal Certificate Store

  1. The Personal Certificate Store will be pre-selected since you choose to upload a Personal certificate.  Do not modify these settings.
  2. Click Next.

3.9. Complete the Certificate Import Wizard

Click Finish.

3.10. Confirm Certificate was Imported

Certificate imported
  1. Click OK to confirm the import was successful.
  2. The list of certificates will be refreshed and the *.corp.local certificate will be listed as part of the Personal Store.
  3. Click Close.

Normally, you would need to add both the Personal and the Trusted Root Certificate.  However, the Trusted Root Certificate for this infrastructure has already been added, and you will not need to manually included it.

NOTE: Should you wish to view it, you can navigate to the Trusted Root Certification Authorities tab in the Certificates window to find the CONTROLCENTER-CA certificate.

4. Testing the Certificate Authentication

Opening incognito window
  1. In Google Chrome, click Options.
  2. Click New incognito window.
Accessing the intranet
  1. Enter https://uag-internet.corp.local/intranet/ and press ENTER.
  2. Select the *.corp.local certificate.
  3. Click OK.

You are seeing this prompt because Certificate Authentication is required to visit the intranet site now.  Selecting the intranet.corp.local certificate is choosing to present this user certificate to access the intranet site.

4.2. Confirm Certificate Authentication was Successful

Intranet

As result, you will see the intranet page which can now only be accessible from the external network for users that present the correct user certificate.

Click Close.

4.3. Close the Chrome Settings Tab

FT-HOL-2151-09-DWS-v0.14 - Lab Console - VMware Learning Platform - Google Chrome
  1. Click Close on the Chrome Settings tab
  2. Navigate back to the UAG admin console tab at https://uag-intranet.corp.local:9443/admin for the next steps

0 Comments

Add your comment

E-Mail me when someone replies to this comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.