Solved: Cisco ASA as trusted authority for internal websites

andreitoma22 · ‎11-30-2020

Hello

I am managing a CISCO Asa for a client. WAN Connection ends up in a ISR Router who is doing the NAT and after the ISR is the ASA.

On the inside there are few websites held by a Windows Server 2012-2016 AD infrastructure.

For internal hosts, client uses DC self-signed certificate.

For AnyConnect users to connect to the ASA we have 3rd party certificate.

What I am looking after is a solution for the external hosts ( coming via AnyConnect vpn) to see the internal websites as secure - the green lock as the client sees it.

Client does not want to purchase individual certs for websites , also the external hosts cannot be added to the domain.

Thanks

Andrei

Andrei Toma

Karsten Iwen · ‎11-30-2020

There is no other way than providing a valid certificate to the client. If the external clients also belong to the company, than just provide the clients the root-certificate that you used to provide certificates to the internal servers. IMO, a dirty solution which I would not like to implement, but technically it will work.

The better solution is to work with official certificates here. For that, you can either install the certificates on the local servers, or implement a "gateway" for this:

Place a linux server into your DMZ and configure it to act as a reverse proxy. The open source webserver NGINX can do that pretty well. This reverse-proxy is configured with the public certificate, and can even automate the enrollment for free LetsEncrypt certificates. The external users acess the reverse-proxy which builds a new connection to the internal server to present the content.

View solution in original post

Karsten Iwen · ‎11-30-2020

There is no other way than providing a valid certificate to the client. If the external clients also belong to the company, than just provide the clients the root-certificate that you used to provide certificates to the internal servers. IMO, a dirty solution which I would not like to implement, but technically it will work.

The better solution is to work with official certificates here. For that, you can either install the certificates on the local servers, or implement a "gateway" for this:

Place a linux server into your DMZ and configure it to act as a reverse proxy. The open source webserver NGINX can do that pretty well. This reverse-proxy is configured with the public certificate, and can even automate the enrollment for free LetsEncrypt certificates. The external users acess the reverse-proxy which builds a new connection to the internal server to present the content.

andreitoma22 · ‎11-30-2020

Karsten,

Thanks a lot for your reply, really helpful, indeed I like the reverse-proxy solution better, but just to make sure I got the clear picture - is there a way to feed the self-certificate used in the servers to the external clients - via AnyConnect maybe, can ASA push this when negotiating connection - or which delivery method would suit best ?

Thanks Andrei

Andrei Toma

Karsten Iwen · ‎11-30-2020

There is no automatic import for the VPN users. It the remote PCs are part of your Active-Directory domain, you can push the certificate with a GPO. Same if you have any kind of management system for the PCs. This can do the job too.

If you don't have any of this, then the users have to import the certificate manually.

andreitoma22 · ‎11-30-2020

Thanks again, I will look into the reverse-proxy solution.

Andrei

Andrei Toma

Karsten Iwen · ‎11-30-2020

Another option is one of the free load-balancers. KEMP has a free version of their LoadMaster Software. Of course it is restricted in throughput, but could perhaps be the right solution:

https://support.kemptechnologies.com/hc/en-us/articles/204427785