A Client needs to authenticate to a website using a unique client certificate provided by said website.
If unique client certificates are required to authenticate to the OCS, then a tunnel must be created through the ProxySG appliance to allow the Client certificate to make it to the OCS(destination) as the proxy does not forward Client Certificate information before SGOS 6.3.x
In SGOS 6.3.x, the HTTPS service can be configured to forward the information about the Client Certificate to the OCS, but in some cases, tunneling the request so that the ProxySG appliance does not intercept it may still be required for functionality.
This tunnel can be created using the policy code below, changing out "website.com" for the website being accessed.
This will create a tunnel for all traffic going to that domain, so the ProxySG appliance does not interact with it, thereby allowing the Client Certificate to be processed.
As an alternative to this policy, we can make a global rule which will disable SSL interception whenever the client certificate request is made by the server. As this is a global policy, the above option may be preferred
<SSL-Intercept> ; If the server requests a client certificate, tunnel the SSL traffic via SSL proxy client.certificate.requested=yes ssl.forward_proxy(no) ; Otherwise, intercept SSL traffic using HTTPS forward proxy. ssl.forward_proxy(https)
; Exclude the bottom rule if you have a rule to bypass SSL interception in VPM.
client.certificate.requested= Tests whether or not the server has requested SSL client certificate authentication.
When the SSL proxy establishes a connection with the server and the server requests an SSL client certificate, this condition is set to yes; else, it is set to no. This condition is NULL for transactions that do not involve an SSL connection to the client.
When the ProxySG evaluates this condition, it uses a list of requesting servers (a Client Certificate Requested list) to determine if a client certificate was requested during both an initial handshake and renegotiation. As long as this condition exists in policy, the ProxySG can automatically detect servers that request a client certificate during renegotiation and maintain the Client Certificate Requested list.
Imported Document ID: 000008560
Subscribing will provide email updates when this Article is updated. Login is required.
Thanks for your feedback. Let us know if you have additional comments below. (requires login)
Subscribed to the Article.
Unable to subscribe
Thanks for your additional feedback !!!
Enterprise Support Virtual Agent
Rate Me :
Tell us more:
Welcome! My name is Sami, the Enterprise Support Virtual Agent answering technical support questions.