Using client certificate authentication for publishing over HTTPS

Applies To: Forefront Threat Management Gateway (TMG)

To use client certificate authentication for publishing over HTTPS

  1. In the Forefront TMG Management console, in the tree, click the Firewall Policy node.

  2. In the details pane, click the applicable Web publishing rule.

  3. On the Tasks tab, click Edit Selected Rule.

  4. On the Listener tab, click Properties.

  5. On the Connections tab, verify that Enable SSL (HTTPS) connections on port is selected.

  6. If you do not want to allow HTTP connections without client certificate authentication, verify that Enable HTTP connections on port is not selected.

  7. On the Authentication tab, do one of the following:

    1. If Method clients use to authenticate to Forefront TMG is set to HTTP Authentication or No Authentication, select SSL Client Certificate Authentication in the drop-down list, and click Advanced.

    2. If Method clients use to authenticate to Forefront TMG is set to HTML Form Authentication, click Advanced. You should select Require SSL client certificate only if you want to require that an SSL client certificate be sent in the HTTPS request before the HTML form is presented to the user.

  8. On the Client Certificate Trust List tab, select one of the following:

    • Accept any client certificate trusted by the Forefront TMG computer. Select this option if you want the list of acceptable certification authorities to include all certification authorities whose root certificate is installed in the Trusted Root Certification Authorities store on the Forefront TMG computer.

    • Only accept client certificates issued by the certification authorities selected below. Select this option if you want to limit the list of certification authorities whose certificates will be trusted.

  9. On the Client Certificate Restrictions tab, define the restrictions that the SSL client certificates must match.

  10. Click OK to close the Advanced Authentication Options page.

  11. On the Certificates tab, verify that an SSL server certificate is selected, and then click OK.

  12. For forms-based authentication, on the Traffic tab, select Require SSL Client Certificate.

  13. Click OK.

  14. In the details pane, click Apply, and then click OK.

Note

  • A client certificate presented to Forefront TMG is trusted only when the root certificate of the certification authority that issued it is installed in the Trusted Root Certification Authorities store on the Forefront TMG computer.

  • When publishing over SSL, an SSL server certificate that was issued to the public host name of the published Web site must be installed in the Personal store for the local computer on every Forefront TMG computer in the array in which the Web publishing rule is configured,. For more information about using server certificates for secure Web publishing, see Configuring server certificates for secure Web publishing.

  • When a client attempts to connect through Forefront TMG, a list of acceptable certification authorities is provided by Forefront TMG to the client as part of the SSL handshake. This allows the client application, such as a Web browser, to use only the client certificates that were issued by a specific trusted certification authority.

  • You can further restrict the set of certificates that a client can send to Forefront TMG by creating restrictions that the SSL client certificates must match. This way, you can eliminate the need for the client application to display a list of certificates to the user for selecting the appropriate client certificate.

Concepts

Publishing Web servers over HTTPS