Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 7 subscribers
  • Views 21746 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM reverse proxy authentication

ArthurMnev

Does anyone know if it is possible to configure Sophos UTM to:

1) perform certificate based authentication for reverse proxy URL

2) supply basic authentication to the backend server with anonymous or certificate authenticated  access to the virtual server?

The context:

I have a web server on the backend that performs basic auth to grant access. This server is being reverse proxied , a 3d party device need to do an HTTP post to the URL and relies on certificate auth.

I can implement certificate authentication on the backend server itself if sophos doesn't support it , however, for that to happen, an HTTP post needs to be allowed to go through. That means Sophos needs to supply a static username and password to the backend server on anonymous access to the virtual server.

In addition, for a connection to the virtual to be validated, we need to either filter by IP address of the source request or  to perform a certificate auth. I'd much rather use authentication via cert as opposed to the IP though

Does anyone have any ideas?

Thanks



This thread was automatically locked due to age.
  • 0
    Moving to the correct subject specific forum. Please post to the correct forum in future Arthur, thanks. :)
    __________________
    ACE v8/SCA v9.3

    ...still have a v5 install disk in a box somewhere.

    http://xkcd.com
    http://www.tedgoff.com/mb
    http://www.projectcartoon.com/cartoon/1
  • 0

    Hi Arthur,

    1) Certificate-based Authentication for reverse proxy is not available in UTM9, only basic and form-based methods.
    It was possible with Microsoft TMG, and I've succesfuly implemented it once for a client who requested Exchange OWA 2-factor authentication functionality.



    However, there is still an open feature request that you can vote for if you wish:
    feature.astaro.com/.../4568036-web-server-protection-certificate-based-authe

  • 0 in reply to vilic
    Thanks for the reply.
    Do you know if it is possible to have UTM to authenticate to the backend server with a static basic auth credentials while keeping the virtual server in anonymous mode?
  • 0 in reply to ArthurMnev
    Hi,

    a static basic auth credentials to the backend server is not possible.

    Sabine
  • 0
    This seems to be to be a huge gaping hole in the security of the UTM offering. 90% of our clients require client side certificate based authentication and this issue has been around for a long time with UTM.

    From what I have been able to to see, the only way around this issue is to just have a NAT rule that allows 'naked' traffic to pass through the firewall from the outside directly into the heart of an otherwise secure environment in order to have the customer application (which only supports certificate based authentication due to the PHI information involved) receive data from the outside world. It only takes about 4.5 seconds for the nasties of the world out there to notice this and then they too start tapping away at the server without the protection the WAF provides.

    Additionally, with more an more applications (Puppet comes to mind) requiring RBCAC tokens and or certificate based auth, how are we to provide WAF services to our customers?

    Is there a design flaw in our configuration? Is there a DMZ type solution? What is the best practice on allowing applications like Elasticsearch/Puppet/<insert nginx/tomcat application here> client certificate authentication while not exposing the customer to an unnecessary level of risk?
  • 0 in reply to PhilipMorrison

    any news on this? Any roadmap?

Unfiltered HTML