UTM reverse proxy authentication

Moving to the correct subject specific forum. Please post to the correct forum in future Arthur, thanks. :)

Hi Arthur,

1) Certificate-based Authentication for reverse proxy is not available in UTM9, only basic and form-based methods.
It was possible with Microsoft TMG, and I've succesfuly implemented it once for a client who requested Exchange OWA 2-factor authentication functionality.

However, there is still an open feature request that you can vote for if you wish:
feature.astaro.com/.../4568036-web-server-protection-certificate-based-authe

Thanks for the reply.
Do you know if it is possible to have UTM to authenticate to the backend server with a static basic auth credentials while keeping the virtual server in anonymous mode?

Hi,

a static basic auth credentials to the backend server is not possible.

Sabine

This seems to be to be a huge gaping hole in the security of the UTM offering. 90% of our clients require client side certificate based authentication and this issue has been around for a long time with UTM.

From what I have been able to to see, the only way around this issue is to just have a NAT rule that allows 'naked' traffic to pass through the firewall from the outside directly into the heart of an otherwise secure environment in order to have the customer application (which only supports certificate based authentication due to the PHI information involved) receive data from the outside world. It only takes about 4.5 seconds for the nasties of the world out there to notice this and then they too start tapping away at the server without the protection the WAF provides.

Additionally, with more an more applications (Puppet comes to mind) requiring RBCAC tokens and or certificate based auth, how are we to provide WAF services to our customers?

Is there a design flaw in our configuration? Is there a DMZ type solution? What is the best practice on allowing applications like Elasticsearch/Puppet/<insert nginx/tomcat application here> client certificate authentication while not exposing the customer to an unnecessary level of risk?