cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1104
Views
0
Helpful
1
Replies
Keith Haskett
Beginner

ACE End to End SSL with Client Authentication

A customer wishes to issue their field service engineers with smartphones which will enable them to conenct to the MS Exchange CAS hosts installed in our data centres using MS Activesync. The connections will be using HTTPS and they wish to enable session persistence. The source IP addresses of the smartphones will be hidden behind a gateway and client authentciation will be used on the Exchange servers for security.

Source IP stickiness cannot be used due to the client NAT. SSL session ID stickiness is no longer recommended by Cisco or Microsoft due to the varying web browsers and associated techniques used to frequently re-negotiate the SSL session ID. Therefore, the customer wishes to use HTTP Header Authorisation stickiness. In order to do this, we need to terminate SSL on the ACE, inspect the header and then use SSL Initiation to the back end Exchange servers (End to End SSL).

We have configured End to End SSL on the ACE 4710 appliances and this seems to be working as we can see TLS negotiations, hits on the serverfarms and associated log entries on the Exchange servers. We have also configured HTTP Header Auth and associated Parameter Maps. However, from the server monitoring, we appear to be failing authentication on the Exchange servers, possibly due to Client Authentication.

The Exchange servers are expecting the smartphone to present it's SSL certificate in order to authenticate the user. The ACE is terminating the SSL session and then re-encrypting it during SSL Initiation to the back end server. I could configure an Authentication Group but this needs to contain a certificate list to present to the server which is not practical due to the number of smartphones deployed. I'm also not sure how this is used in SSL Initiation as I understand it is normally used in SSL Termination for the ACE to Authenticate the client.

So it begs the question can this be done? Is it possible to combine End to End SSL with Client Authentication and HTTP Header Authorisation Stickiness?

1 REPLY 1
gaursin2
Beginner

Not very sure whether this will help you or not, but we can insert DN from client sertifcate in HTTP header for backend server connection

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/ssl/guide/terminat.html#wp1169832

Let me know if this help in your requirement.

Content for Community-Ad