https://community.cisco.com/t5/network-security/cisco-asa-as-trusted-authority-for-internal-websites/m-p/4190591#M1076249 <P>Hello</P><P>&nbsp;</P><P>I am managing a CISCO Asa for a client. WAN Connection ends up in a ISR Router who is doing the NAT and after the ISR is the ASA.</P><P>On the inside there are few websites held by a Windows Server 2012-2016 AD infrastructure.</P><P>For internal hosts, client uses DC self-signed certificate.</P><P>For AnyConnect users to connect to the ASA we have 3rd party certificate.</P><P>&nbsp;</P><P>What I am looking after is a solution for the external hosts ( coming via AnyConnect vpn) to see the internal websites as secure - the green lock as the client sees it.</P><P>Client does not want to purchase individual certs for websites , also the external hosts cannot be added to the domain.&nbsp;</P><P>&nbsp;</P><P>&nbsp;Thanks</P><P>Andrei</P><P>&nbsp;</P> Mon, 30 Nov 2020 10:12:03 GMT andreitoma22 2020-11-30T10:12:03Z https://community.cisco.com/t5/network-security/cisco-asa-as-trusted-authority-for-internal-websites/m-p/4190591#M1076249 <P>Hello</P><P>&nbsp;</P><P>I am managing a CISCO Asa for a client. WAN Connection ends up in a ISR Router who is doing the NAT and after the ISR is the ASA.</P><P>On the inside there are few websites held by a Windows Server 2012-2016 AD infrastructure.</P><P>For internal hosts, client uses DC self-signed certificate.</P><P>For AnyConnect users to connect to the ASA we have 3rd party certificate.</P><P>&nbsp;</P><P>What I am looking after is a solution for the external hosts ( coming via AnyConnect vpn) to see the internal websites as secure - the green lock as the client sees it.</P><P>Client does not want to purchase individual certs for websites , also the external hosts cannot be added to the domain.&nbsp;</P><P>&nbsp;</P><P>&nbsp;Thanks</P><P>Andrei</P><P>&nbsp;</P> Mon, 30 Nov 2020 10:12:03 GMT https://community.cisco.com/t5/network-security/cisco-asa-as-trusted-authority-for-internal-websites/m-p/4190591#M1076249 andreitoma22 2020-11-30T10:12:03Z https://community.cisco.com/t5/network-security/cisco-asa-as-trusted-authority-for-internal-websites/m-p/4190609#M1076252 <P>There is no other way than providing a valid certificate to the client. If the external clients also belong to the company, than just provide the clients the root-certificate that you used to provide certificates to the internal servers. IMO, a dirty solution which I would not like to implement, but technically it will work.</P> <P>The better solution is to work with official certificates here. For that, you can either install the certificates on the local servers, or implement a "gateway" for this:</P> <P>Place a linux server into your DMZ and configure it to act as a reverse proxy. The open source webserver NGINX can do that pretty well. This reverse-proxy is configured with the public certificate, and can even automate the enrollment for free LetsEncrypt certificates. The external users acess the reverse-proxy which builds a new connection to the internal server to present the content.</P> Mon, 30 Nov 2020 10:32:22 GMT https://community.cisco.com/t5/network-security/cisco-asa-as-trusted-authority-for-internal-websites/m-p/4190609#M1076252 Karsten Iwen 2020-11-30T10:32:22Z https://community.cisco.com/t5/network-security/cisco-asa-as-trusted-authority-for-internal-websites/m-p/4190687#M1076262 <P>Karsten,&nbsp;</P><P>&nbsp;</P><P>Thanks&nbsp; a lot for your reply, really helpful, indeed I like the reverse-proxy solution better, but just to make sure I got the clear picture - is there a way to feed the self-certificate used in the servers to the external clients - via AnyConnect maybe, can ASA push this when negotiating connection - or which delivery method would suit best ?</P><P>&nbsp;</P><P>Thanks Andrei&nbsp;</P> Mon, 30 Nov 2020 12:19:13 GMT https://community.cisco.com/t5/network-security/cisco-asa-as-trusted-authority-for-internal-websites/m-p/4190687#M1076262 andreitoma22 2020-11-30T12:19:13Z https://community.cisco.com/t5/network-security/cisco-asa-as-trusted-authority-for-internal-websites/m-p/4190693#M1076264 <P>There is no automatic import for the VPN users. It the remote PCs are part of your Active-Directory domain, you can push the certificate with a GPO. Same if you have any kind of management system for the PCs. This can do the job too.</P> <P>If you don't have any of this, then the users have to import the certificate manually.</P> Mon, 30 Nov 2020 12:32:46 GMT https://community.cisco.com/t5/network-security/cisco-asa-as-trusted-authority-for-internal-websites/m-p/4190693#M1076264 Karsten Iwen 2020-11-30T12:32:46Z https://community.cisco.com/t5/network-security/cisco-asa-as-trusted-authority-for-internal-websites/m-p/4190697#M1076265 <P>Thanks again, I will look into the r<SPAN>everse-proxy solution.</SPAN></P><P>&nbsp;</P><P><SPAN>Andrei</SPAN></P> Mon, 30 Nov 2020 12:40:09 GMT https://community.cisco.com/t5/network-security/cisco-asa-as-trusted-authority-for-internal-websites/m-p/4190697#M1076265 andreitoma22 2020-11-30T12:40:09Z https://community.cisco.com/t5/network-security/cisco-asa-as-trusted-authority-for-internal-websites/m-p/4190708#M1076267 <P>Another option is one of the free load-balancers. KEMP has a free version of their LoadMaster Software. Of course it is restricted in throughput, but could perhaps be the right solution:</P> <P><A href="https://support.kemptechnologies.com/hc/en-us/articles/204427785" target="_blank">https://support.kemptechnologies.com/hc/en-us/articles/204427785</A></P> Mon, 30 Nov 2020 12:58:57 GMT https://community.cisco.com/t5/network-security/cisco-asa-as-trusted-authority-for-internal-websites/m-p/4190708#M1076267 Karsten Iwen 2020-11-30T12:58:57Z