Web Interface Servers Cannot Reach Access Gateway Enterprise Edition Virtual Server when Authentication is at the Appliance
Article ID: CTX137385
Updated On:
Description
In some environments that integrate Access Gateway Enterprise Edition passthrough authentication to Web Interface, the Web Interface servers cannot reach Access Gateway Virtual Server.
In environments where authentication is made at Access Gateway Enterprise Edition appliance and credentials are sent to Web Interface server, the Web Interface servers by default uses a method called Callback that verifies if the request came from Access Gateway Enterprise Edition appliance.
For this callback communication to occur, you must ensure that the following conditions are true:
-
Web Interface servers can resolve DNS name address for the Access Gateway Virtual Server.
-
Port 443 Access Gateway Enterprise Edition Virtual Server should be reachable from the Web Interface Server ( HTTPs )
-
Since HTTPs is used for this communication, the following conditions should be true:
- Certificate used within the Access Gateway Enterprise Edition Virtual Server must match the FQDN for the connection.
- Web Interface servers must trust all certificate chain for the server certificate used (Intermediate – Root certificates).
Resolution
To solve this issue, complete the following procedure:
-
Create a specific Access Gateway Enterprise Edition virtual server with an IP address reachable by Web Interface servers dedicated only to Callback process.
Note: Authentication and session policies are not required on the virtual server. -
Use the same SSL certificate used for the Access Gateway Enterprise Edition virtual server created for user connections.
-
Modify Web Interface servers to resolve the FQDN for the SSL certificate with the IP address of the dedicated “callback” Access Gateway Virtual servers.
Issue/Introduction
Additional Information
