How to publish server that uses Client Certificate mapping RRS feed

  • Question

  •  Hello All,

    I'm trying to publish on TMG an internal HTTPS server configured as follow:
        1. Non standard HTTPS port (e.g. 1234)
        2. Server authenticate client using mapping of Client certificates to User accounts.

    I configured TMG to listen connection on standard HTTPS port 443 (Listener properties / Connections) and set Listener Authentication to "No Authentication". Then I created publishing rule with 
        1. Authentication delegation: No delegation, but client may authenticate directly
        2. Binding: Redirect requests to SSL port: 1234
        3. Link translation (local mapping) https://externalname.domain.com/
            to https://internalname.domain.com:1234/ and vice versa

    In my understanding, all https requests (for external side) shall be now redirected to internal HTTPS server, port 1234 and the internal server (and not TMG) shall identify client using the client certificate. 

    However, when I'm trying to connect to external site, the IE displays an error 403 (Access is denied) and log of failed requests on internal server shows:
    ModuleName IIS Web Core
    Notification 1
    HttpStatus 403
    HttpReason Forbidden
    HttpSubStatus 7
    ErrorCode 2147942405
    Notification BEGIN_REQUEST
    ErrorCode Access is denied. (0x80070005)

    What's wrong with my setup? 
    Thank you in advance for any hint.

    • Moved by Shrikant Maske Tuesday, January 19, 2010 6:24 PM As per owners request. (From:Forefront Threat Management Gateway)
    • Moved by Keith AlabasterModerator Tuesday, January 19, 2010 8:47 PM wrong forum (From:Forefront Edge Security - General)
    Tuesday, November 18, 2008 5:02 PM


  • This is the same as for ISA Server; you can't use bridging when certificate auth is enforced at the published web site.
    You'll have to use non-web publishing (tunneling) to accomplish this.
    Jim Harrison Forefront Edge CS
    Friday, November 21, 2008 3:11 PM