Secure explicit proxy with client certificates NEW
The explicit web proxy policy can use client certificates for validation. In this example, a CA signs a client certificate. The client certificate is installed on an endpoint, and the root CA is imported to FortiGate. A web proxy policy is configured to require the client certificate.
When the user accesses a web site, the explicit web proxy policy uses the client certificate from the endpoint device to authenticate the user and grant access to the web site.
To configure client certificates with explicit proxies:
-
Prepare the certificate:
-
Use a CA to sign the client certificate.
-
Import the root CA certificate that signed the client certificate to FortiGate. In this scenario, the certificate is root_ca.
-
Install the client certificate on an endpoint.
-
-
Configure the explicit web-proxy policy to request the client certificate from the endpoint.
config web-proxy explicit set secure-web-proxy enable set secure-web-proxy-cert "proxy" set client-cert enable set empty-cert-action block end
-
Configure verification of the client certificate with the root CA.
config authentication setting set user-cert-ca "root_ca" end
When the user accesses a web site:
-
FortiGate requests client certificate authentication, and the web browser displays the available certificates. The user selects a client certificate (client2.fortinet.com) issued by the reqa.ftnt.com CA, and clicks OK.
-
Once the client certificate is successfully verified against the root CA certificate imported on the FortiGate, access to the web site is granted.
When the endpoint device fails to present a client certificate, a message is displayed, and access to the web site is blocked.