WAF: more authentication type
At the moment there are different type of authentication missing even on UTM9 against ISA server 2006, such as:
- Two-factor authentication using forms-based authentication and a client certificate.
- Delegation of credentials by using NTLM or Kerberos authentication.
- Kerberos constrained delegation.
- Secure Sockets Layer (SSL) client certificate constraints
In this way, XG and UTM9 are the very alternative to ISA Server.
Hello, I’ve tried WAF configuration a site that authtenticate by certificate, but it doesnt work.
[ssl:warn] [pid 25165:tid 140483397244672] AH02268: Proxy client certificate callback:
(mysite:443) downstream server wanted client certificate but none are configured
We need a configuration how have on market that permit ssl authentication pass through .
The site keeping protect by WAF and ignore the autentication by ssl, doing client authenticate directly on server.
I bought into the Sophos XG because it was touted as a good match to ISA/TMG . The TMG offered a truly seamless integration for Windows servers and I cant stop feeling sad its gone!
The reverse proxy feature on the ISA/TMG was extremely secure with support for a variety of Authentication options. Delegation of creds using windows auth or Kerbros would be most welcomed!
I am struggling to configure reverse authentication in WAF, and this XG 17.5 has a long way to go to match the good old TMG or ISA 2004/6.
Are there any ex ISA /TMG customers in this community that have configured WAF reverse proxy authentication successfully for front end and backend and got it to work reliably. I appreciate that only Basic Auth is supported but I get into timeout issues using forms for front end and Basic Auth forwarding.
Apologies for the long post!
Jim Harrison commented
ISA Server (and TMG, if you're actually using current [dead] technology) was never able to perform client certificate delegation, and NTLM doesn't allow delegation.
KCD is a Windows, not an ISA feature. It requires that your UTM/XG device actually join an AD domain.