Setting Up Client Authentication in a Reverse Proxy

Client authentication in a secure reverse proxy provides further insurance that your connections are secure. The following instructions explain how to configure client authentication according to the scenario you choose.

Each scenario assumes that you have both a secure Client-to-Proxy connection and a secure Proxy-to-Content-Server connection.

To Configure the Proxy-Authenticates-Client Scenario

1. Follow the directions for configuring the secure Client-to-Proxy and secure Proxy-to-Content Server scenario in “Setting up a Reverse Proxy” in Chapter 14, Using a Reverse Proxy.

2. Access the Server Manager for a server instance and click the Preferences tab.

3. Click the Edit Listen Sockets link, and then click the link for the desired listen socket in the table that displays.

   (Use the Add Listen Socket link to configure and add listen sockets.)

4. Specify client authentication requirements:

   1. To permit access to all users with valid certificates:

      In the Security section, use the Client Authentication setting to require client authentication on this listen socket. If a server certificate has not been installed, this setting will not be visible.

   2. To permit access to only those users who have both valid certificates and are specified as acceptable users in access control:

      1. In the Security section, leave the Client Authentication setting set to off. If a server certificate has not been installed, this setting will not be visible.

      2. On the Server Manager Preferences tab for this server instance, click the Administer Access Control link.

      3. Select an ACL, and then click the Edit button.

         The Access Control Rules For page displays (authenticate first, if prompted).

      4. Turn access control on (select the Access control Is On checkbox if not already selected).

      5. Set your Proxy Server to authenticate as a reverse proxy.

         For more information, see Setting up a Reverse Proxy.

      6. Click the Rights link for the desired access control rule, specify access rights in the lower frame, and then click Update to update this entry.

      7. Click the Users/Groups link. In the lower frame. Specify users and groups, select SSL as the authentication method, and click Update to update this entry.

      8. Click Submit in the upper frame to save your entries.

         For more information about setting access control, see Chapter 8, Controlling Access to Your Server.

To Configure the Content Server-Authenticates-Proxy Scenario

1. Follow the directions for configuring the secure Client-to-Proxy and secure Proxy-to-Content-Server scenario in Setting up a Reverse Proxy.

2. On your content server, turn client authentication on.

   You can modify this scenario so that you have an unsecure client connection to the Proxy Server, a secure connection to the content server, and the content server authenticates the Proxy Server. To do so, you must turn encryption off and require the proxy to initialize certificates only as described in the following procedure.

To Configure the Proxy-Authenticates-Client and Content Server-Authenticates-Proxy scenario

1. Follow the directions for configuring the Proxy-Authenticates-Client scenario in To Configure the Proxy-Authenticates-Client Scenario.

2. On your content server, turn client authentication on.