locked
Client certificates on Edge servers RRS feed

  • Question

  • A question on external access, using Edge servers, where we want to use strong user authentication, using an X509 client certificate.

     

    For CWA we plan to use a WebSeal reverse proxy server, with the WebSeal performing the 'strong' authentication. This way the CWA and Front-Ends can be sure that the person accessing the service has a physical certificate.

    We would like to do the same for accessing the Front-Ends via Access Edge + Web Conferencing Edge on one box.

     

    I understand that the Edge servers are SIP and PSOM reverse proxies, like the WebSeal or ISA are HTTPS reverse proxies.

     

    Now I know that OCS authentication only uses NTLM and Kerberos, but I want to authenticate the client (certificate) one step earlier. Can the client certificate authentication be handeled by the Edge servers (using the same client certificate we let WebSeal check for the CWA) or must I put a WebSeal or ISA before the Edge servers (and will they allow that?).

     

    Any ideas how I can implement this way of strong authentication? (may be I can call it 2-factor).

     

    Saturday, June 28, 2008 4:08 PM

All replies

  • Unfortunately not possible

    You could do a workarround with some SSL VPN type of Firewall that requires you to login with Cert but then you must disconnect your EDGE server from the internet and only make it accessible via SSL VPN

     

    Tuesday, July 1, 2008 11:16 AM