It is trying to use certificate to authenticate the clients and for that it must pass that authentication information through. Not sure if you have seen this
Proxy Web Servers for Internet-Based Client Management
If the site supports Internet-based client management, and you are using a proxy web server by using SSL termination (bridging) for incoming Internet connections,
the proxy web server has the certificate requirements listed in the following table.
|
|
|
If you are using a proxy web server without SSL termination (tunneling), no additional certificates are required on the proxy web server. |
Note
|
Network infrastructure component
|
Certificate purpose
|
Microsoft certificate template to use
|
Specific information in the certificate
|
How the certificate is used in Configuration Manager
|
|
Proxy web server accepting client connections over the Internet |
Server authentication and client authentication |
|
Internet FQDN in the Subject Name field or in the Subject Alternative Name field (if you are using Microsoft certificate templates, the Subject Alternative Name is available with
the workstation template only). SHA-1 and SHA-2 hash algorithms are supported. |
This certificate is used to authenticate the following servers to Internet clients and to encrypt all data transferred between the client and this server by using SSL:
The client authentication is used to bridge client connections between the System Center 2012 Configuration Manager clients and the Internet-based site systems. |
Nagu Sittampalam | Security Team Leader , IT Solutions Division | Southampton Strategic Services Partnership | Landline: 02380 833012 | Fax: 02380 832973 | e-mail
Nagu.Sittampalam@xxxxxxxxxxxxxxxxxx | e-mail
Nagu.Sittampalam@xxxxxxxxxxxx | post
Capita ITS, 1st Floor, One Guildhall Square, Above Bar, Southampton, SO14 7FP
This email and any files transmitted with it are confidential, and may be subject to legal privilege, and are intended solely for the use of the individual or entity to whom
they are addressed.
If you have received this email in error or think you may have done so, you may not peruse, use, disseminate, distribute or copy this message. Please notify the sender immediately and delete the original e-mail from your system.
From: Jeff Trawick [mailto:trawick@xxxxxxxxx]
Sent: 23 January 2014 21:10
To: users@xxxxxxxxxxxxxxxx
Subject: Re: RE: SSL bridging with Apache reverse proxy
On Thu, Jan 23, 2014 at 9:14 AM, Sittampalam, Nagu <Nagu.Sittampalam@xxxxxxxxxxxxxxxxxx> wrote:
What we are trying achieve is like you said SSL termination at Apache httpd and reverse proxy
to backend server over SSL but we need to send through client authentication header. This is so we can give internet based clients access to our Microsoft SCCM 2012 management point. Would you be able to point to any documents on how to do this please.
Below what Microsoft say about it.
·
SSL bridging to SSL:
The recommended configuration when you use proxy web servers for Internet-based client management is SSL bridging to SSL, which uses SSL termination with authentication. Client computers must be authenticated by using computer authentication, and mobile device
legacy clients are authenticated by using user authentication. Mobile devices that are enrolled by Configuration Manager do not support SSL bridging.
The benefit of SSL termination at the proxy web server is that packets from the Internet are subject to inspection before they are forwarded to the internal network. The proxy web server authenticates the connection from the client, terminates it, and then
opens a new authenticated connection to the Internet-based site systems. When Configuration Manager clients use a proxy web server, the client identity (client GUID) is securely contained in the packet payload so that the management point does not consider
the proxy web server to be the client. Bridging is not supported in Configuration Manager with HTTP to HTTPS, or from HTTPS to HTTP.
It is a mystery to me. The language in the MS document seems to be referring to some information other than the normal HTTP headers that must be replicated to the back-end connection.
Nagu Sittampalam | Security Team Leader , IT Solutions Division | Southampton Strategic Services Partnership | Landline: 02380 833012 | Fax: 02380 832973 | e-mail Nagu.Sittampalam@xxxxxxxxxxxxxxxxxx | e-mail Nagu.Sittampalam@xxxxxxxxxxxx | post Capita ITS, 1st Floor, One Guildhall Square, Above Bar, Southampton, SO14 7FP
This email and any files transmitted with it are confidential, and may be subject to legal privilege, and are intended solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error or think you may have done so, you may not peruse, use, disseminate, distribute or copy this message. Please notify the sender immediately and delete the original e-mail from your system.
From: Jeff Trawick [mailto:trawick@xxxxxxxxx]
Sent: 23 January 2014 14:01
To: users@xxxxxxxxxxxxxxxx
Subject: Re: RE: SSL bridging with Apache reverse proxy
On Thu, Jan 23, 2014 at 8:46 AM, Sittampalam, Nagu <Nagu.Sittampalam@xxxxxxxxxxxxxxxxxx> wrote:
Thank you for the response and yes it is not reverse proxy anymore. Is my assumption correct that Apache reverse proxy is not cable of doing SSL bridging?
I'm not familiar with the term "SSL bridging". I see a description of "SSL bridging" in BIG-IP here: http://www.f5.com/glossary/ssl-bridging/ Apache httpd does not have that capability. But Microsoft has a different description of "SSL bridging" here: http://technet.microsoft.com/en-us/library/cc722817.aspx
What are you trying to accomplish? SSL termination at Apache httpd, and reverse proxy to backend server over SSL? Yes, that is implemented.
Nagu Sittampalam | Security Team Leader , IT Solutions Division | Southampton Strategic Services Partnership | Landline: 02380 833012 | Fax: 02380 832973 | e-mail Nagu.Sittampalam@xxxxxxxxxxxxxxxxxx | e-mail Nagu.Sittampalam@xxxxxxxxxxxx | post Capita ITS, 1st Floor, One Guildhall Square, Above Bar, Southampton, SO14 7FP
This email and any files transmitted with it are confidential, and may be subject to legal privilege, and are intended solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error or think you may have done so, you may not peruse, use, disseminate, distribute or copy this message. Please notify the sender immediately and delete the original e-mail from your system.
From: Jeff Trawick [mailto:trawick@xxxxxxxxx]
Sent: 23 January 2014 13:29
To: users@xxxxxxxxxxxxxxxx
Subject: Re: RE: SSL bridging with Apache reverse proxy
On Thu, Jan 23, 2014 at 6:48 AM, Sittampalam, Nagu <Nagu.Sittampalam@xxxxxxxxxxxxxxxxxx> wrote:
Hello
I did not get any response to my below email so I assume SSL bridging cannot be done on Apache reverse proxy. So wanted to know if it is possible to do SSL tunnelling with Apache reverse proxy?
"Reverse" proxy hides the backend server from the client, and the httpd doing the proxying is the SSL termination point. I don't think you mean to refer to "reverse" proxy.
See the notes on the CONNECT protocol support here:
Nagu Sittampalam | Security Team Leader , IT Solutions Division | Southampton Strategic Services Partnership | Landline: 02380 833012 | Fax: 02380 832973 | e-mail Nagu.Sittampalam@xxxxxxxxxxxxxxxxxx | e-mail Nagu.Sittampalam@xxxxxxxxxxxx | post Capita ITS, 1st Floor, One Guildhall Square, Above Bar, Southampton, SO14 7FP
This email and any files transmitted with it are confidential, and may be subject to legal privilege, and are intended solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error or think you may have done so, you may not peruse, use, disseminate, distribute or copy this message. Please notify the sender immediately and delete the original e-mail from your system.
_____________________________________________
From: Sittampalam, Nagu
Sent: 17 January 2014 08:05
To: 'users@xxxxxxxxxxxxxxxx'
Subject: SSL bridging with Apache reverse proxy
Hello
Is it possible to do SLL bridging with Apache reverse proxy? Searching on the internet most result suggest it does not work. We want to use Apache reverse proxy to allow internet clients to connect to our Microsoft SCCM 2012 server. This requires SLL bridging with the ability to pass through client authentication header information.
Nagu Sittampalam | Security Team Leader , IT Solutions Division | Southampton Strategic Services Partnership | Landline: 02380 833012 | Fax: 02380 832973 | e-mail Nagu.Sittampalam@xxxxxxxxxxxxxxxxxx | e-mail Nagu.Sittampalam@xxxxxxxxxxxx | post Capita ITS, 1st Floor, One Guildhall Square, Above Bar, Southampton, SO14 7FP
This email and any files transmitted with it are confidential, and may be subject to legal privilege, and are intended solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error or think you may have done so, you may not peruse, use, disseminate, distribute or copy this message. Please notify the sender immediately and delete the original e-mail from your system.
--
Born in Roswell... married an alien...
http://emptyhammock.com/
--
Born in Roswell... married an alien...
http://emptyhammock.com/
--
Born in Roswell... married an alien...
http://emptyhammock.com/
