Submitting a client certificate can be configured as a method of accessing the user interface of the appliance. This method is known as Client Certificate authentication or X.509 authentication.
Client Certificate authentication is one of the methods you can choose for the authentication procedure when configuring the proxy functions of the appliance.
The following applies to the method when using it in proxy configuration.
- No user name and password is required to authenticate a user who sends a request, as is the case with other methods such as NTLM or LDAP.
- The method can be implemented for requests that are sent in SSL-secured communication from a web browser on a client to an appliance that is configured in explicit proxy mode.
- The protocol used for this communication is HTTPS.
A client certificate is submitted when the SSL handshake is performed as one of the initial steps in the communication between the appliance and a client. The request is then redirected to an authentication server to validate the certificate.
If it is valid, authentication is successfully completed for the client and the request is eventually forwarded to the appropriate web server.
When running multiple appliances as nodes in a configuration, it is important that the authentication server resides on the node that a request was originally directed to.
Also forwarding to the web after successful authentication must be done from the same node.
Use of an authentication server for Client Certificate authentication is controlled by rules. You can import an authentication server rule set and modify the rules in its nested rule sets to enable the use of appropriate certificates.
You must also implement a way to let Client Certificate authentication be applied. A recommended way of doing this is using cookie authentication.
If this method is implemented, authentication is required for a client that a request was sent from, but a cookie is set for this client after a certificate has been submitted and recognized as valid once. Submitting a certificate is then not required for subsequent requests from that client.
You can import and modify a rule set for having Client Certificate authentication handled in this way.