1.4 Configuring SSL between the Proxy Service and the Web Servers

SSL must be enabled between the Access Gateway and the browsers before you can enable it between the Access Gateway and its Web servers.

  1. In the Administration Console, click Devices > Access Gateways > Edit > [Name of Reverse Proxy] > [Name of Proxy Service] > Web Servers.

    Configuring SSL to the Web Servers

  2. To configure SSL, select Connect Using SSL.

    This option is not available if you have not set up SSL between the browsers and the Access Gateway. See Section 1.3, Configuring SSL Communication with the Browsers and the Identity Server and select the Enable SSL between Browser and Access Gateway field.

  3. Configure how you want the proxy service to verify the Web server certificate:

    1. Select one of the following options:

      • To not verify this certificate, select Do not verify for the Web Server Trusted Root option.

        Use this option when you want the information between the Access Gateway and the Web server encrypted, but you don’t need the added security of verifying the Web server certificate.

        Continue with Step 4.

      • To verify the certificate authority of the Web server certificate, select Any in Reverse Proxy Trust Store. When this option is selected, the public certificate of the certificate authority must be added to the proxy trust store.

        IMPORTANT:For an Access Gateway Service, this option is a global option. If you select this option for one proxy service, all proxy services on an Access Gateway Service are flagged to verify the public certificate. This verification is done even when other proxy services are set to Do not verify.

        If the Web server certificate is part of a chain of certificates, you need to enable the SSLProxyVerifyDepth option and specify how many certificates are in the chain. For more information about this option, see Section 2.2.3, Configuring Advanced Options for a Domain-Based Proxy Service.

    2. Click the Manage Reverse Proxy Trust Store icon. The auto import screen appears.

      Importing a certificate into the proxy trust store

      If the Access Gateway is a member of a cluster, the cluster members are listed. The Web server certificate is imported into the trust stores of each cluster member.

    3. Ensure that the IP address of the Web server and the port match your Web server configuration.

      If these values are wrong, you have entered them incorrectly on the Web server page. Click Cancel and reconfigure them before continuing.

    4. Click OK.

      The server certificate, the Root CA certificate, and any certificate authority (CA) certificates from a chain are listed.

      If the whole chain is not displayed, import what is displayed. You then need to manually import the missing parents in the chain. A parent is missing if the chain does not include a certificate where the Subject and the Issuer have the same CN.

    5. Specify an alias, then click OK.

      All the displayed certificates are added to the trust store.

    6. Click Close.

  4. (Optional) Set up mutual authentication so that the Web server can verify the proxy service certificate:

    1. Click the Select Certificate icon,

    2. Select the certificate you created for the reverse proxy, then click OK.

      This is only part of the process. You need to import the trusted root certificate of the CA that signed the proxy service’s certificate to the Web servers assigned to this proxy service. For instructions, see your Web server documentation.

  5. In the Connect Port field, specify the port that your Web server uses for SSL communication. The following table lists some common servers and their default ports.

    Server Type

    Non-Secure Port

    Secure Port

    Web server with HTML content

    80

    443

    SSL VPN

    8080

    8443

    WebSphere

    9080

    9443

    JBoss

    8080

    8443

  6. To save your changes to browser cache, click OK.

  7. To apply your changes, click the Access Gateways link, then click Update > OK.