I've been recently trying to figure out how to get McAfee to work as a reverse-proxy with certificate authentication.
So I've started with the basics:
This got me started, and I have a working Reverse Proxy which can also do either basic or NTLM authentication.
Then I read about certificate authentication:
- Using client certficates for authentication on wg 22.214.171.124.0, which resulted in a few more links:
Now comes the problem: despite reverse proxy working fine for NTLM auth, I can't get Certificate authentication to work in the same general environment.
My setup involves the use of a MWG as an SSL-aware, Transparent reverse proxy, in Routed mode - this means that the clients try to connect to the MWG as if it were the final web server, and the MWG does reverse proxy for various private resources (usually simple HTTP servers with simple webpages - think Apache test webpage like). Clients have no knowledge of any proxy (instead, when they ask for server.example.com, the DNS lookup returns the IP address on which the MWG is listening.
I have the CA and Certificates setup properly, with the same CA (trusted by clients) issuing both Web Server (MWG) certificates and Client (on client PC) certificates. The certificates are also properly imported in MWG and when using NTLM auth, everything is 100% seamless with no security errors.
When trying various suggestions that seemed to work for others, I run into the following problem: my client (windows 7/64 using IE/FF/Chr) is never asked for a certificate. I tried with no certificate, one certificate, many certificates (all from the same CA). Tried two different CAs (changing all certificates in the process). No matter what, my client is never asked for a certificate upon trying the "SSL Client Certificate" authentication method. Authentication even always results in "Authentication Failed" being true.
Any ideas? Solutions?