Вы находитесь на странице: 1из 5

How to configure Client side

certificate authentication for


authorization-only access /
Active Sync URLs
How-to Guide

Published Date June 2015


How to configure Client side certificate authentication for authorization-only access / Active Sync URLs How-to Guide

Overview
Authorization-only access is similar to a reverse proxy. Typically, a reverse proxy is a proxy server that is installed
in front of web servers. All connections coming from the Internet addressed to one of the web servers are
routed through the proxy server, which may either deal with the request itself or pass the request wholly or
partially to the main web server.

Refer to latest IVE OS admin guide under the section Configuring Sign-In Policies for more details. On IVE
OS 7.0 and above we now have the ability to check for valid client side certificates before allowing access to
authorization only access resource.

Advantages of this Feature


With the ability to check for valid client side certificates IVE is now not only acting as a reverse proxy to the
desired resource but also ensuring that access to these resource is only if the user has a valid client certificate
that is issued by an IVE Trusted client CA.

Configuration Details
Step 1: Authorization only access configuration:
a) Create a new authorization only sign-in policy.

b) Provide a virtual host name (e.g. ivetest.com) that end users will use in order to access the protected
(authorization) only URL.

c) Enter the backend resource URL (e.g. https://outlook.lab.net); select a role that will be applied to
users who use this access mechanism. Save changes.

2015 by Pulse Secure, LLC. All rights reserved 2


How to configure Client side certificate authentication for authorization-only access / Active Sync URLs How-to Guide

Step 2: Certificate enforcement configuration:


a) On the SA go to Configuration -> Security ->SSL Options.

b) Scroll down to the setting Require client certificate on these ports.

c) Select the port to which this setting is to be applied.

d) In our example we have selected an external virtual port (e.g. ext-vp). Save changes

Note: We have not selected the option Enable client certificate on the external port. This means
that if an access request to the URL arrives on the external port, the request will be declined by the
SA device. SA device will only accept traffic to URL (https://ivetest.com) on the external virtual port.

In the above example ensure that https://ivetest.com resolves to the external virtual port IP
address of the SA device.

Step 3 Role Level Configuration:

a) Go to the role that is applied to this sign-in policy (e.g. Users role). Navigate to Users -> General - >
Restrictions -> Certificate.

2015 by Pulse Secure, LLC. All rights reserved 3


How to configure Client side certificate authentication for authorization-only access / Active Sync URLs How-to Guide

Note: The above step# 3 (a) is critical for certificate enforcement, without which we may see
unexpected behaviors.

b) Select the option Only allow users with a client-side certificate. as shown in the above screenshot.
Save changes.

c) Go to Configuration -> Certificates -> Trusted Client CAs and import the client CA certificate which
has issued the end user client certificates.

When end users try to access the URL https://ivetest.com, the external DNS resolution will resolve to the
external virtual port IP address.

2015 by Pulse Secure, LLC. All rights reserved 4


How to configure Client side certificate authentication for authorization-only access / Active Sync URLs How-to Guide

Step 4.1: Deleting the System Log Files


This will trigger the client certificate check on client computer as in below screenshot. If a client certificate is
found which was issued by the CA that is trusted by the SA device (eg., SSLVPNDC08-CA), then users can select
the certificate and continue accessing the resource.

For our scenario if the DNS resolution is towards the external interface IP, then access will be denied and a page
cannot be displayed message will be displayed. This is by design.

2015 by Pulse Secure, LLC. All rights reserved 5