What we are trying achieve is like you said SSL termination at Apache httpd and reverse proxy to backend server over SSL but we need to send through client
authentication header. This is so we can give internet based clients access to our Microsoft SCCM 2012 management point. Would you be able to point to any documents on how to do this please. Below what Microsoft say about it.
·
SSL bridging to SSL:
The recommended configuration when you use proxy web servers for Internet-based client management is SSL bridging to SSL, which uses SSL termination with authentication. Client computers must be authenticated by using computer authentication, and mobile device
legacy clients are authenticated by using user authentication. Mobile devices that are enrolled by Configuration Manager do not support SSL bridging.
The benefit of SSL termination at the proxy web server is that packets from the Internet are subject to inspection before they are forwarded to the internal network. The proxy web server authenticates the connection from the client, terminates it, and then
opens a new authenticated connection to the Internet-based site systems. When Configuration Manager clients use a proxy web server, the client identity (client GUID) is securely contained in the packet payload so that the management point does not consider
the proxy web server to be the client. Bridging is not supported in Configuration Manager with HTTP to HTTPS, or from HTTPS to HTTP.
Nagu Sittampalam | Security Team Leader , IT Solutions Division | Southampton Strategic Services Partnership | Landline: 02380 833012 | Fax: 02380 832973 | e-mail
Nagu.Sittampalam@xxxxxxxxxxxxxxxxxx | e-mail
Nagu.Sittampalam@xxxxxxxxxxxx | post
Capita ITS, 1st Floor, One Guildhall Square, Above Bar, Southampton, SO14 7FP
This email and any files transmitted with it are confidential, and may be subject to legal privilege, and are intended solely for the use of the individual or entity to whom
they are addressed.
If you have received this email in error or think you may have done so, you may not peruse, use, disseminate, distribute or copy this message. Please notify the sender immediately and delete the original e-mail from your system.
From: Jeff Trawick [mailto:trawick@xxxxxxxxx]
Sent: 23 January 2014 14:01
To: users@xxxxxxxxxxxxxxxx
Subject: Re: RE: SSL bridging with Apache reverse proxy
On Thu, Jan 23, 2014 at 8:46 AM, Sittampalam, Nagu <Nagu.Sittampalam@xxxxxxxxxxxxxxxxxx> wrote:
Thank you for the response and yes it is not reverse proxy anymore. Is my assumption correct that
Apache reverse proxy is not cable of doing SSL bridging?
What are you trying to accomplish? SSL termination at Apache httpd, and reverse proxy to backend server over SSL? Yes, that is implemented.
Nagu Sittampalam | Security Team Leader , IT Solutions Division | Southampton Strategic Services Partnership
| Landline: 02380 833012 | Fax: 02380 832973 | e-mail
Nagu.Sittampalam@xxxxxxxxxxxxxxxxxx | e-mail
Nagu.Sittampalam@xxxxxxxxxxxx | post Capita ITS, 1st Floor, One Guildhall Square, Above Bar, Southampton, SO14 7FP
This email and any files transmitted with it are confidential, and may be subject to legal privilege, and are intended solely for the use of the individual or entity to whom
they are addressed.
If you have received this email in error or think you may have done so, you may not peruse, use, disseminate, distribute or copy this message. Please notify the sender immediately and delete the original e-mail from your system.
On Thu, Jan 23, 2014 at 6:48 AM, Sittampalam, Nagu <Nagu.Sittampalam@xxxxxxxxxxxxxxxxxx> wrote:
I did not get any response to my below email so I assume SSL bridging cannot be done on Apache reverse
proxy. So wanted to know if it is possible to do SSL tunnelling with Apache reverse proxy?
"Reverse" proxy hides the backend server from the client, and the httpd doing the proxying is the SSL termination point. I don't think you mean to refer to "reverse" proxy.
See the notes on the CONNECT protocol support here:
Nagu Sittampalam | Security Team Leader , IT Solutions Division | Southampton Strategic Services Partnership
| Landline: 02380 833012 | Fax: 02380 832973 | e-mail
Nagu.Sittampalam@xxxxxxxxxxxxxxxxxx | e-mail
Nagu.Sittampalam@xxxxxxxxxxxx | post Capita ITS, 1st Floor, One Guildhall Square, Above Bar, Southampton, SO14 7FP
This email and any files transmitted with it are confidential, and may be subject to legal privilege, and are intended solely for the use of the individual or entity to whom
they are addressed.
If you have received this email in error or think you may have done so, you may not peruse, use, disseminate, distribute or copy this message. Please notify the sender immediately and delete the original e-mail from your system.
_____________________________________________
From: Sittampalam, Nagu
Sent: 17 January 2014 08:05
To: 'users@xxxxxxxxxxxxxxxx'
Subject: SSL bridging with Apache reverse proxy
Is it possible to do SLL bridging with Apache reverse proxy? Searching on the internet most result suggest it
does not work. We want to use Apache reverse proxy to allow internet clients to connect to our Microsoft SCCM 2012 server. This requires SLL bridging with the ability to pass through client authentication header information.
Nagu Sittampalam | Security Team Leader , IT Solutions Division | Southampton Strategic Services Partnership
| Landline: 02380 833012 | Fax: 02380 832973 | e-mail
Nagu.Sittampalam@xxxxxxxxxxxxxxxxxx | e-mail
Nagu.Sittampalam@xxxxxxxxxxxx | post Capita ITS, 1st Floor, One Guildhall Square, Above Bar, Southampton, SO14 7FP
This email and any files transmitted with it are confidential, and may be subject to legal privilege, and are intended solely for the use of the individual or entity to whom
they are addressed.
If you have received this email in error or think you may have done so, you may not peruse, use, disseminate, distribute or copy this message. Please notify the sender immediately and delete the original e-mail from your system.
--
Born in Roswell... married an alien...
http://emptyhammock.com/
--
Born in Roswell... married an alien...
http://emptyhammock.com/
|
