Redirecting requests to an authentication server
Under the Client Certificate authentication method, a request is redirected to an authentication server for validating the client certificate that was submitted with it. The redirecting can be done using a special listener port on the appliance or a unique host name.
Using a special listener port
Requests can be redirected to an authentication server using a special listener port, for example, port 444. Suppose the IP address of an appliance is 192.168.122.119, then a request will be redirected to the authentication server by:
https://192.168.122.119:444/
However, it is important to consider whether exceptions from using a proxy have been configured for the web browser on a client that sends the request.
- No proxy exceptions configured — If no proxy exceptions have been configured, all requests are sent to the proxy port that is listening for them on the appliance, which is port 9090 by default.
Even a request to https://192.168.122.119:444/
will arrive on port 9090 if this is the configured proxy port.
If a firewall is part of your network configuration, no exceptions from the firewall rules are needed because there is no connection from the client to port 444.
To ensure requests are redirected to the authentication server, 444, or another value that you want to use for this purpose, must be configured for the URL.Port property in the criteria of the Authentication Server (for X509 Authentication) rule set.
The value of the URL.Port property is the port contained in the URL that is specified by a request. It can be, for example, 444, even if the request actually arrives at port 9090.
- Proxy exceptions configured — Proxy exceptions can be configured for various reasons. For example, a web browser could be configured not to use proxies for accessing local hosts.
A request to https://192.168.122.119:444/
will then not arrive at port 9090.
Because the browser is configured to access its destination directly, it will try to connect to the appliance on port 444. This means that you need to set up a listener port with port number 444.
If firewall rules are in place, an exception is also needed to allow requests to arrive at port 444.
To ensure requests are processed by the appropriate rules, 444, or another value that you want to use for this purpose, must be configured for the Proxy.Port property in the criteria of the Authentication Server (for X509 Authentication) rule set.
The value of the Proxy.Port property is the port that a request actually arrives at. It is, for example, 444 if you have set up a port with this number for receiving requests that are to be redirected to an authentication server.
Using a unique host name
Requests can be redirected to an authentication server using a unique host name, for example, authserver.local.mcafee. Using this name, requests are redirected to the authentication server by:
https://authserver.mcafee.local
The client that the request was sent from must not try to look up the host name using DNS, as the URL will most likely not resolve and the client will be unable to connect.
To ensure that requests are processed by the appropriate rules, this host name must be configured as the value for the URL.Host property in the criteria of the Authentication Server (for X509 Authentication) rule set.