TLS server support:
Connection to source will be encrypted via TLS, Application Gateway acts as TLS server (SSL is no more supported!).
Not valid for SAPR.
SSL:certfile[/parameter] ... path to certificate file or thumbprint of certificate for TLS encryption.
Further hints and options concerning certificate loading can be found here.
TLS:protocols ... optional, list of supported encryption protocols: TLS10, TLS11, TLS12 or TLS13 (separated by | ), if not specified: TLS 1.2 or TLS 1.3 will be used, depending on client.
- If protocols is "none" ... The operating systems chooses the protocol.
CCR:EmailAddresses ... optional, Client Certificate Required, see schema
EmailAddresses(optional) is a list of email addresses (separated by | ) that are allowed (may contain one or more * for wildcard, e.g. *@aon.at, firstname.lastname@example.org, *.email@example.com), references to OTP group names (with trailing %), references to groups that contain email addresses.
Email addresses must be lowercase. Following attributes of the client certificate will be logged: subject, issuer, email address, userPrinzipalName.
If EmailAddresses is specified: email address within client certificate must match
In the client-authenticated TLS handshake the server requests a certificate from the client by sending a CertificateRequest message.
This message contains a list of distinguished names (DNs) of CAs that the server trusts (CTL ... CertificateTrustList).
This list may be used by the client to choose an appropriate certificate that should be sent to the server in the Certificate message of the client.
If there are too many certificates in the "Trusted Root Certification Authorities" store, the proper certificate might not be transmitted.
In Windows the issuer list cannot be larger than 16,384 (or 0x4000) bytes!
In this case set HKLM/system/currentcontrolset/control/securityproviders/schannel/SendTrustedIssuerList to 0 (DWORD)
-> no CTL will be sent and the client displays all certificates when prompting to select one.
Starting with Windows 8 and Windows Server 2012 the default of SendTrustedIssuerList is 0:
See also what-s-new-in-tls-ssl-schannel-ssp-overview
To configure a trusted issuers list on Windows 8 and Windows Server 2012 or later proceed as follows:
Set SendTrustedIssuerList to 1 (reboot necessary!) and store certificates of trusted issuers into the local computer certificate store Client Authentication Issuers (Clientauthentifizierungsaussteller).
Following keywords can be used for TLS connections in combination with keyword CCR:
CCNRQ ... Client Certificate Not ReQuired: session continues even if client does not offer a certificate or certificate check does not succeed (for test purposes and EAS)
CCRBLK: ... EmailAddresses ... block list: EmailAddresses (same format as in keyword CCR) to be blocked.
FIRSTE ... For a new link a client certificate will not be requested, if there is an existing link with same rule ID, source IP and validated client certificate/email.
... This is especially useful for connections to SharePoint when checking out files. If FIRSTE is not specified: At checkout additional prompts for certificates and username/password will occur.
FIRSTT ... For the first link from a specific source IP to this rule a client certificate will be requested and a session object (SessionID) will be created.
... This session object has the same TTL as the link. If another link from the same source IP to this rule is established, no client certificate will be requested if a matching SessionID has been found.
... This keyword overrides the keyword FIRSTE.
RDR:filename ... ReDiRect: sends filename (must be html coded) if client is not authenticated accordingly, RDR has higher priority than CCNRQ.
... The string %ClientCertError% will be replaced by an error message. If filenname is not specified the default template will be used.
ISS ... check certificate issuer
ROO ... check certificate root
RVS ... client certificate will be checked against revocation list (within SslStream.AuthenticateAsServer)
Following keyword can be used for TLS connections in combination with keyword OTPR:
FIRSTO ... match on SessionID also if SourceIP matches (similar to keyword FIRSTT).
Following keyword can be used for TLS connections when the connection terminates at the Application Gateway,
e.g. manage, status, web, logon, OTP:
HSTS:param ... set http response header"Strict-Transport-Security".
... if param is "*": includeSubDomains will be set
... if param is any other character: includeSubDomains will not be set
... max-age=31536000 is set
For definition of "Strict Transport Security Policy" see RFC6797
Example with required authentication:
SourceIP ;GatewayIP;GatewayPort;GatewayIP2;DestinationIP;DestinationPort;Expiration;Type ;UID;Comment ;eMailExample where client does not need a certificate:
* ;188.8.131.52 ;443 ;184.108.40.206 ;220.127.116.11 ;* ;* ;SSL:server.cer,CCR:*@xx.com,ISS:XXCA,SSLTARGET:NoCheck,RDR:invalidCert.htm;* ;TLS Auth;firstname.lastname@example.org
SourceIP ;GatewayIP;GatewayPort;GatewayIP2;DestinationIP;DestinationPort;Expiration;Type ;UID;Comment ;eMailExample with local web site:
* ;18.104.22.168 ;443 ;22.214.171.124 ;126.96.36.199 ;* ;* ;SSL:server.cer,CCR,CCNRQ,TLS:TLS10|TLS11|TLS12,SSLTARGET:www.x.com ;* ;TLS no Auth;email@example.com
SourceIP ;GatewayIP;GatewayPort;GatewayIP2;DestinationIP;DestinationPort;Expiration;Type ;UID;Comment ;eMail
* ;188.8.131.52 ;444 ;web ;* ;* ;* ;SSL:server.cer,DIR:"c:\www" ;* ;web via TLS;firstname.lastname@example.org
TLS client support:
Connection to destination will be encrypted via TLS, Application Gateway acts as TLS client (SSL is no more supported!).
Not valid for PRX, SAPR, SIP, ORA, X11.
Keyword SSLTARGET:targetHost[!issuer[!clientcert]] ... The value specified for targetHost must match the name on the destination server's certificate. Otherwise the session will terminate.
issuer is optional and consists of a list (separated by | ) of accepted issuers of the server certificate.
If targetHost or issuer is "NoCheck": The server certificate will not be checked. Subject and Issuer of the certificate will be written to the log file.
Caution: If "NoCheck" is specified as targetHost this string will also be transmitted to the server and the server may abort the session because this string does not match the certificate name.
- This option should not be used any longer, just for upward compatibility.
clientcert is optional, for syntax see certificate loading.
If clientcert is specified: SSLCC will not be used for this target. If clientcert not is specified: The certificate defined by SSLCC (if any) will be used.
If clientcert is "None" no client sertificate will be sent.
TLSC:protocols ... optional, list of supported encryption protocols: TLS10, TLS11, TLS12 or TLS13 (separated by | ), if not specified: TLS 1.2 or TLS 1.3 will be used, depending on server.
- If protocols is "none" ... The operating systems chooses the protocol.
- SSLTARGET:rsp.applicgate.com ... The server certificate must be valid and trusted and the server name must match, issuer will not be checked.
- SSLTARGET:"rsp.applicgate.com!CN=R3, O=Let's Encrypt" ... Additionally the name of the issuer of the server certificate must start with the specified issuer string.
- SSLTARGET:"rsp.applicgate.com!NoCheck" ... no certificate checking
- SSLTARGET:"rsp.applicgate.com!NoCheck!rspcert.cer" ... no server certificate checking, client certificate specified
- SSLTARGET:rsp.applicgate.com!!rspcert.cer ... server certificate will be checked, issuer will not be checked, client certificate specified
Multiple SSLTARGET keywords may be specified (results in nested TLS connections).
SSLTARGET and CONNECT keywords may be mixed and they are processed from left to right.
Obsolete keyword NOCHECK: The certificate of the destination server will not be checked. Do not use this any longer, specify the string "NoCheck" as issuer (see above).
Keyword SSLCC:clientcert ... Path to client certificate (.cer, .pfx or .p12), thumbprint or emailfilter for client certificate selection.
For TLS client authentication when connecting to a TLS server.
Optional, used with keyword SSLTARGET if there is no client certificate defined.
For syntax of clientcert see certificate loading.
Only for autologon entries (not supported on Linux): Prompt for certificate selection
SSLCC:prompt[:email] ... No prompt if only one certificate matches. The selected certificate will be cached for retries.
SSLCC:Prompt[:email] ... Prompt even if only one certificate matches. The selected certificate will be cached only for automatic retries.
SSLCC:promptSmart[:email] ... No prompt if only one certificate matches; only certificates with EnhancedKeyUsage "Smart Card Logon" are shown
SSLCC:PromptSmart[:email] ... Prompt even if only one certificate matches; only certificates with EnhancedKeyUsage "Smart Card Logon" are shown
- email is an optional filter (supports * as wildcards) to select certificates with matching email address only, e.g. SSLCC:Prompt:*email@example.com
- In all cases only the certificate store of the current user will be searched and
- the keyword ISS:"issuer" is supported: Only certificates from this issuers may be selected.
See also Examples for TLS configuration