locked
Web Application Proxy: How to Pass Client Certificate Details to a Back-end Server RRS feed

  • Question

  • Hello,

    I've recently migrated our company's test and dev HTTPS website to run on Server 2012R2. For our reverse proxy solution I've installed Web Application Proxy and ADFS 3.0. On the original environment that uses a different reverse-proxy, IIS would prompt for a client certificate to authenticate and gain access to the website. Now with Web Application Proxy sitting out in front of it configured in pass-through mode it not longer prompts for a client certificate. This is meant to work for hundreds of users with different certificates.

    I haven't found a conclusive answer but I'm thinking that WAP terminates the SSL session and does not forward along the client certificate information. Is there a workaround for this? A way to prompt and pass client certificates to the backend server for authentication while using WAP as a reverse proxy? I don't want to make any changes to the website coding itself but still want to use WAP.

    Any ideas?

    Thank-you



    • Edited by Urrakka Wednesday, March 9, 2016 4:53 AM
    Wednesday, March 9, 2016 4:48 AM

Answers

  • You are right. The SSL is terminated on the WAP server in that case. This is a reverse proxy issue, not specific to WAP. There is no workaround with the current version of WAP.

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Marked as answer by Urrakka Wednesday, March 9, 2016 8:14 PM
    Wednesday, March 9, 2016 7:12 PM

All replies

  • You are right. The SSL is terminated on the WAP server in that case. This is a reverse proxy issue, not specific to WAP. There is no workaround with the current version of WAP.

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Marked as answer by Urrakka Wednesday, March 9, 2016 8:14 PM
    Wednesday, March 9, 2016 7:12 PM
  • Has there been any changes in the current version of the WAP?

    Thursday, February 1, 2018 9:21 AM