It is trying to use certificate to authenticate the clients and for that it must pass that authentication information through. Not sure if you have seen this Proxy Web Servers for Internet-Based Client Management<javascript:void(0)> ________________________________ If the site supports Internet-based client management, and you are using a proxy web server by using SSL termination (bridging) for incoming Internet connections, the proxy web server has the certificate requirements listed in the following table. Note
If you are using a proxy web server without SSL termination (tunneling), no additional certificates are required on the proxy web server. Network infrastructure component Certificate purpose Microsoft certificate template to use Specific information in the certificate How the certificate is used in Configuration Manager Proxy web server accepting client connections over the Internet Server authentication and client authentication 1. Web Server 2. Workstation Authentication Internet FQDN in the Subject Name field or in the Subject Alternative Name field (if you are using Microsoft certificate templates, the Subject Alternative Name is available with the workstation template only). SHA-1 and SHA-2 hash algorithms are supported. This certificate is used to authenticate the following servers to Internet clients and to encrypt all data transferred between the client and this server by using SSL: * Internet-based management point * Internet-based distribution point * Internet-based software update point The client authentication is used to bridge client connections between the System Center 2012 Configuration Manager clients and the Internet-based site systems. Nagu Sittampalam | Security Team Leader , IT Solutions Division | Southampton Strategic Services Partnership | Landline: 02380 833012 | Fax: 02380 832973 | e-mail nagu.sittampa...@southampton.gov.uk<mailto:nagu.sittampa...@southampton.gov.uk> | e-mail nagu.sittampa...@capita.co.uk<mailto:nagu.sittampa...@capita.co.uk> | post Capita ITS, 1st Floor, One Guildhall Square, Above Bar, Southampton, SO14 7FP This email and any files transmitted with it are confidential, and may be subject to legal privilege, and are intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error or think you may have done so, you may not peruse, use, disseminate, distribute or copy this message. Please notify the sender immediately and delete the original e-mail from your system. From: Jeff Trawick [mailto:traw...@gmail.com] Sent: 23 January 2014 21:10 To: users@httpd.apache.org Subject: Re: [users@httpd] RE: SSL bridging with Apache reverse proxy On Thu, Jan 23, 2014 at 9:14 AM, Sittampalam, Nagu <nagu.sittampa...@southampton.gov.uk<mailto:nagu.sittampa...@southampton.gov.uk>> wrote: What we are trying achieve is like you said SSL termination at Apache httpd and reverse proxy to backend server over SSL but we need to send through client authentication header. This is so we can give internet based clients access to our Microsoft SCCM 2012 management point. Would you be able to point to any documents on how to do this please. Below what Microsoft say about it. * SSL bridging to SSL: The recommended configuration when you use proxy web servers for Internet-based client management is SSL bridging to SSL, which uses SSL termination with authentication. Client computers must be authenticated by using computer authentication, and mobile device legacy clients are authenticated by using user authentication. Mobile devices that are enrolled by Configuration Manager do not support SSL bridging. The benefit of SSL termination at the proxy web server is that packets from the Internet are subject to inspection before they are forwarded to the internal network. The proxy web server authenticates the connection from the client, terminates it, and then opens a new authenticated connection to the Internet-based site systems. When Configuration Manager clients use a proxy web server, the client identity (client GUID) is securely contained in the packet payload so that the management point does not consider the proxy web server to be the client. Bridging is not supported in Configuration Manager with HTTP to HTTPS, or from HTTPS to HTTP. It is a mystery to me. The language in the MS document seems to be referring to some information other than the normal HTTP headers that must be replicated to the back-end connection. Nagu Sittampalam | Security Team Leader , IT Solutions Division | Southampton Strategic Services Partnership | Landline: 02380 833012 | Fax: 02380 832973 | e-mail nagu.sittampa...@southampton.gov.uk<mailto:nagu.sittampa...@southampton.gov.uk> | e-mail nagu.sittampa...@capita.co.uk<mailto:nagu.sittampa...@capita.co.uk> | post Capita ITS, 1st Floor, One Guildhall Square, Above Bar, Southampton, SO14 7FP This email and any files transmitted with it are confidential, and may be subject to legal privilege, and are intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error or think you may have done so, you may not peruse, use, disseminate, distribute or copy this message. Please notify the sender immediately and delete the original e-mail from your system. From: Jeff Trawick [mailto:traw...@gmail.com<mailto:traw...@gmail.com>] Sent: 23 January 2014 14:01 To: users@httpd.apache.org<mailto:users@httpd.apache.org> Subject: Re: [users@httpd] RE: SSL bridging with Apache reverse proxy On Thu, Jan 23, 2014 at 8:46 AM, Sittampalam, Nagu <nagu.sittampa...@southampton.gov.uk<mailto:nagu.sittampa...@southampton.gov.uk>> wrote: Thank you for the response and yes it is not reverse proxy anymore. Is my assumption correct that Apache reverse proxy is not cable of doing SSL bridging? I'm not familiar with the term "SSL bridging". I see a description of "SSL bridging" in BIG-IP here: http://www.f5.com/glossary/ssl-bridging/ Apache httpd does not have that capability. But Microsoft has a different description of "SSL bridging" here: http://technet.microsoft.com/en-us/library/cc722817.aspx What are you trying to accomplish? SSL termination at Apache httpd, and reverse proxy to backend server over SSL? Yes, that is implemented. Nagu Sittampalam | Security Team Leader , IT Solutions Division | Southampton Strategic Services Partnership | Landline: 02380 833012 | Fax: 02380 832973 | e-mail nagu.sittampa...@southampton.gov.uk<mailto:nagu.sittampa...@southampton.gov.uk> | e-mail nagu.sittampa...@capita.co.uk<mailto:nagu.sittampa...@capita.co.uk> | post Capita ITS, 1st Floor, One Guildhall Square, Above Bar, Southampton, SO14 7FP This email and any files transmitted with it are confidential, and may be subject to legal privilege, and are intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error or think you may have done so, you may not peruse, use, disseminate, distribute or copy this message. Please notify the sender immediately and delete the original e-mail from your system. From: Jeff Trawick [mailto:traw...@gmail.com<mailto:traw...@gmail.com>] Sent: 23 January 2014 13:29 To: users@httpd.apache.org<mailto:users@httpd.apache.org> Subject: Re: [users@httpd] RE: SSL bridging with Apache reverse proxy On Thu, Jan 23, 2014 at 6:48 AM, Sittampalam, Nagu <nagu.sittampa...@southampton.gov.uk<mailto:nagu.sittampa...@southampton.gov.uk>> wrote: Hello I did not get any response to my below email so I assume SSL bridging cannot be done on Apache reverse proxy. So wanted to know if it is possible to do SSL tunnelling with Apache reverse proxy? "Reverse" proxy hides the backend server from the client, and the httpd doing the proxying is the SSL termination point. I don't think you mean to refer to "reverse" proxy. See the notes on the CONNECT protocol support here: http://httpd.apache.org/docs/2.4/mod/mod_proxy_connect.html Nagu Sittampalam | Security Team Leader , IT Solutions Division | Southampton Strategic Services Partnership | Landline: 02380 833012 | Fax: 02380 832973 | e-mail nagu.sittampa...@southampton.gov.uk<mailto:nagu.sittampa...@southampton.gov.uk> | e-mail nagu.sittampa...@capita.co.uk<mailto:nagu.sittampa...@capita.co.uk> | post Capita ITS, 1st Floor, One Guildhall Square, Above Bar, Southampton, SO14 7FP This email and any files transmitted with it are confidential, and may be subject to legal privilege, and are intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error or think you may have done so, you may not peruse, use, disseminate, distribute or copy this message. Please notify the sender immediately and delete the original e-mail from your system. _____________________________________________ From: Sittampalam, Nagu Sent: 17 January 2014 08:05 To: 'users@httpd.apache.org<mailto:users@httpd.apache.org>' Subject: SSL bridging with Apache reverse proxy Hello Is it possible to do SLL bridging with Apache reverse proxy? Searching on the internet most result suggest it does not work. We want to use Apache reverse proxy to allow internet clients to connect to our Microsoft SCCM 2012 server. This requires SLL bridging with the ability to pass through client authentication header information. Nagu Sittampalam | Security Team Leader , IT Solutions Division | Southampton Strategic Services Partnership | Landline: 02380 833012 | Fax: 02380 832973 | e-mail nagu.sittampa...@southampton.gov.uk<mailto:nagu.sittampa...@southampton.gov.uk> | e-mail nagu.sittampa...@capita.co.uk<mailto:nagu.sittampa...@capita.co.uk> | post Capita ITS, 1st Floor, One Guildhall Square, Above Bar, Southampton, SO14 7FP This email and any files transmitted with it are confidential, and may be subject to legal privilege, and are intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error or think you may have done so, you may not peruse, use, disseminate, distribute or copy this message. Please notify the sender immediately and delete the original e-mail from your system. -- Born in Roswell... married an alien... http://emptyhammock.com/ -- Born in Roswell... married an alien... http://emptyhammock.com/ -- Born in Roswell... married an alien... http://emptyhammock.com/
<<inline: image001.gif>>
