Secure Mobile Access 12.4 Administration Guide

Technical Documentation> Authentication> Network and Authentication Configuration> Managing User Authentication> Configuring a PKI Authentication Server

Secure Mobile Access 12.4.3
Introduction
- About Secure Mobile Access
Installation
- Installation and Initial Setup
Management
- Working with Appliance Management Console
- User Management
Authentication
- Network and Authentication Configuration
Administration
- Security Administration
  - Creating and Managing Resources
    Resource Types
    Built-In Resources
    Secure Mobile Access WorkPlace (Resource Type: URL)
    Connect Tunnel (Resource Type: URL)
    Network Explorer (Resource Type: Network Share)
    Web Resources
    Client/Server Resources
    File Share Resources
    Resources and Resource Groups
    Viewing Resources and Resource Groups
    Adding Resources
    Example: Specifying a URL Alias
    Example: Blocking Email Attachments
    Example: Supporting Exchange on iPhones
    Example: Restricting Access to Sensitive Data
    Editing Resources
    Deleting Resources
    Configuring a Resource as a SharePoint Web Service
    Exclusions
    Using the Exclusions
    Using Variables in Resource and WorkPlace Shortcut Definitions
    Using Session Property Variables
    Using Query-Based Variables
    Creating a Resource Pointing to Users’ Remote Desktops
    Creating a WorkPlace Link Giving Users Access to Their Remote Desktops
    Creating a Variable Containing a Variable
    Modifying Query Results
    Displaying a Series of Shortcuts Using a Single Definition
    Creating and Managing Resource Groups
    Adding Resource Groups
    Example: Working with a URL Redirect
    Editing, Deleting and Copying Resource Groups
    Web Application Profiles
    Viewing Web Application Profiles
    Adding Web Application Profiles
    Preconfigured Web Application Profiles
    Web Application Profile Examples
    How Requests for Web Resources are Evaluated
    Associating one profile with an entire domain
    Editing and Deleting Web Application Profiles
    Configuring a Single Sign-On Authentication Server
    Forms-Based Single Sign-On
    Basic Authentication Forwarding
    NTLM Authentication Forwarding
    Creating Forms-Based Dynamic Single Sign-On Profiles
    Dynamic SSO Profile for Microsoft RDWeb
    Configuring Microsoft RD Web Access in AMC
    Creating Dynamic SSO Profile for Microsoft Remote Desktop Web Client
    Creating Web Application Profile
    Creating RDWeb URL resource with custom access
    Adding RDWeb in start page
    Dynamic SSO Profile for Citrix XenApp
    Configuring Citrix XenApp in AMC
    Creating Dynamic SSO Profile for Citrix XenApp
    Creating Web Application Profile
    Creating Citrix XenApp URL resource with custom access
    Adding Citrix Xenapp in start page
    Kerberos Constrained Delegation
    Configuring Kerberos Constrained Delegation
    Configuring SMA Support for Microsoft Outlook Anywhere
    Viewing User Sessions
  - Access Control Rules
    Configuring Access Control Rules
    Viewing Access Control Rules
    Access Control Rules for Bi-Directional Connections
    Requirements for Reverse and Cross-Connections
    Securing Application Ports for Reverse Connections
    Adding Access Control Rules for a Forward Connection
    Specifying Advanced Access Control Rule Attributes
    Adding Access Control Rules for a Reverse Connection
    Adding a Pair of Access Control Rules for a Cross-Connection
    Configuring Advanced Access Control Rule Attributes
    Access Methods and Advanced Options
    Adding Users and Resources From Within Access Control Rules
    Editing, Copying, and Deleting Access Control Rules
    Resolving Deny Rule Incompatibilities
    Resolving Invalid Destination Resources
    Invalid Resource Examples
- System Administration
End Point Control
Components
Mobile Connect
- Using SMA with Mobile Connect
Appendix
SonicWall Support
- About This Document

Configuring a PKI Authentication Server

You can set up a certificate server so that a user authenticates using a client certificate on his or her device. Digital certificate authentication can be used alone or in conjunction with another authentication method, such as RADIUS. (If you set up chained authentication and a digital certificate is one of the methods you use, it must be the first method; for more information, see Configuring Chained Authentication.)

Affinity servers should be used only for authentication servers that do not include full group search capabilities, such as RADIUS, RSA, and PKI servers.

If both CRL and OCSP are enabled for a CA certificate, only OCSP is used.
Fallback from CRL to OCSP or OCSP to CRL is not supported.

To configure a PKI authentication server

In the AMC, navigate to System Configuration > Authentication Servers.
Click New.
Click Public key infrastructure (PKI).
In the Name field, type a name for the authentication server.
Under Trusted CA certificates, optionally
- Select the Trust intermediate CAs without verifying the entire chain checkbox. This allows a set of trusted intermediate signing authority certificates to be deployed in various sectors of the network (often by department or organizational unit). For more information, see About Intermediate Certificates.
- Select the Enable automatic device enrollment using a local CA checkbox only for PKI with local CA and not for any other CA.
Under Use is a list of All CA certificates used by the appliance. Select one or more root certificates for establishing a trust relationship with the client device by selecting the checkbox (a root certificate is one where the Subject and Issuer are the same). A client’s certificate will be trusted if it matches a root certificate listed in the Trusted CA certificates list.
Under Advanced, in the Username attribute field, type the attribute used for single sign-on (for example, cn or uid).
To use an OCSP responder to determine client certificate status, select the Use OCSP to verify client certificates checkbox. If selected, a user may use any access method (Workplace or Connect Tunnel) to authenticate to a realm that uses this PKI authentication method.
Select one of the following options for Use this OCSP responder:
- System default – A manually configured OCSP responder has priority. The configured OCSP responder URL is shown here if configured. You can configure it by clicking the here link, which takes you to the OCSP page available from SSL Settings.
- User certificate’s AIA extension – The user certificate is parsed to extract the URL of the OCSP responder. The Authority Information Access (AIA) certificate extension contains URL locations that provide the issuing CA’s certificate. The AIA extension can contain HTTP, FTP, LDAP, or FILE URLs.
- CA certificate’s AIA extension – The CA certificate is parsed to extract the URL of the OCSP responder.
Select the Allow certificate if responder is unavailable checkbox if the authentication should succeed in cases where an error occurs, an unknown status is returned, or the OCSP responder is not available.
Select the Trust signing certificates in response checkbox to trust certificates in the OCSP response. This is enabled by default.

You must import the OCSP response signing certificate for the CA certificate being used and enable OCSP response verification when importing it. The OCSP response signing certificate can be copied from the OCSP responder or server to a local management machine and then imported from the SSL Settings page while you are logged in to AMC.
Select the Send nonce in request checkbox and Require nonce in response checkbox to guard against malicious replay attacks, in which a successful response is replayed to the client after the subject certificate is revoked.
Click Save.

< Prev Section

Next Section >

Secure Mobile Access 12.4 Administration Guide

Table of Contents

Configuring a PKI Authentication Server