WAF: more authentication type
At the moment there are different type of authentication missing even on UTM9 against ISA server 2006, such as:
1. Two-factor authentication using forms-based authentication and a client certificate.
2. Delegation of credentials by using NTLM or Kerberos authentication.
3. Kerberos constrained delegation.
4. Secure Sockets Layer (SSL) client certificate constraints
In this way, XG and UTM9 are the very alternative to ISA Server.
Hello, I’ve tried WAF configuration a site that authtenticate by certificate, but it doesnt work.
[ssl:warn] [pid 25165:tid 140483397244672] AH02268: Proxy client certificate callback:
(mysite:443) downstream server wanted client certificate but none are configured
We need a configuration how have on market that permit ssl authentication pass through .
The site keeping protect by WAF and ignore the autentication by ssl, doing client authenticate directly on server.
I bought into the Sophos XG because it was touted as a good match to ISA/TMG . The TMG offered a truly seamless integration for Windows servers and I cant stop feeling sad its gone!
The reverse proxy feature on the ISA/TMG was extremely secure with support for a variety of Authentication options. Delegation of creds using windows auth or Kerbros would be most welcomed!
I am struggling to configure reverse authentication in WAF, and this XG 17.5 has a long way to go to match the good old TMG or ISA 2004/6.
Are there any ex ISA /TMG customers in this community that have configured WAF reverse proxy authentication successfully for front end and backend and got it to work reliably. I appreciate that only Basic Auth is supported but I get into timeout issues using forms for front end and Basic Auth forwarding.
Apologies for the long post!
Jim Harrison commented
ISA Server (and TMG, if you're actually using current [dead] technology) was never able to perform client certificate delegation, and NTLM doesn't allow delegation.
KCD is a Windows, not an ISA feature. It requires that your UTM/XG device actually join an AD domain.