4 Replies Latest reply on Jun 23, 2015 7:47 AM by dorian.negru

    MWG 7.4.2 - Reverse Proxy with x509 auth


      I've been recently trying to figure out how to get McAfee to work as a reverse-proxy with certificate authentication.


      So I've started with the basics:

      - Intro to Reverse Proxy

      - Support Doc: Authentication Examples by Deployment Method


      This got me started, and I have a working Reverse Proxy which can also do either basic or NTLM authentication.



      Then I read about certificate authentication:

      - Using client certficates for authentication on wg, which resulted in a few more links:

      > https://community.mcafee.com/message/280186#280186

      > https://community.mcafee.com/message/295307#295307

      > https://community.mcafee.com/docs/DOC-4384



      Now comes the problem: despite reverse proxy working fine for NTLM auth, I can't get Certificate authentication to work in the same general environment.



      My setup involves the use of a MWG as an SSL-aware, Transparent reverse proxy, in Routed mode - this means that the clients try to connect to the MWG as if it were the final web server, and the MWG does reverse proxy for various private resources (usually simple HTTP servers with simple webpages - think Apache test webpage like). Clients have no knowledge of any proxy (instead, when they ask for server.example.com, the DNS lookup returns the IP address on which the MWG is listening.


      I have the CA and Certificates setup properly, with the same CA (trusted by clients) issuing both Web Server (MWG) certificates and Client (on client PC) certificates. The certificates are also properly imported in MWG and when using NTLM auth, everything is 100% seamless with no security errors.


      When trying various suggestions that seemed to work for others, I run into the following problem: my client (windows 7/64 using IE/FF/Chr) is never asked for a certificate. I tried with no certificate, one certificate, many certificates (all from the same CA). Tried two different CAs (changing all certificates in the process). No matter what, my client is never asked for a certificate upon trying the "SSL Client Certificate" authentication method. Authentication even always results in "Authentication Failed" being true.


      Any ideas? Solutions?

        • 1. Re: MWG 7.4.2 - Reverse Proxy with x509 auth



          I have set up various MWGs in reverse proxy modes and also with client certificate authentication.

          First of all you may want to look at the Online Rule Set Library, it contains a rule set that sets up X509 authentication. More important is the attached documentation as it contains some details about potential "caveats" you may encounter when setting this up.


          Assuming the MWG configuration is correct the browser will ONLY ask for a client certificate if you have the right certificates already included in the browser. When MWG determines a client certificate is required it tells the browser which CAs are acceptable. Only if there is a "personal" certificate stored which is signed by the CA MWG tells the browser the browser will show a popup and allow you to choose the certificate.


          Can you verify that you have the certificate correctly stored in the browsers certificate store and MWG is asking the browser for the right CA to provide a certificate for?




          • 2. Re: MWG 7.4.2 - Reverse Proxy with x509 auth

            Hi Andre!



            Thanks for the quick reply.


            It turns out that even though I had the certificates imported, they were in the wrong Certificate Store - causing all my problems!


            Importing a certificate into the Personal store got my current setup to work just fine.



            Thanks for the help!




            • 3. Re: MWG 7.4.2 - Reverse Proxy with x509 auth

              Cool! When you let Internet Explorer "automatically determine" the right store when importing a certificate it fails pretty often... I don't know why, I always choose the store manually.


              Thank you for letting us know. Let me know if you need further help.




              • 4. Re: MWG 7.4.2 - Reverse Proxy with x509 auth

                So I got everything to work, but only when identifying by CLeint IP; I can't get it to work with cookie authentication. Can it at least be done?