Client Certificate Authentication between IIS reverse proxy and origin server

Question

I am fairly new to IIS. We have a requirement to setup a reverse proxy using IIS. Now the origin / backend server can be on HTTP or HTTPS.

We have successfully configured mutual authentication on IIS for the client to require SSL and present a client certificate.

What we now need is to enable mutual authentication between the IIS reverse proxy and the origin server. Something like below:

----------                ---------------------                ----------
| Client | --- HTTPS ---> | IIS Reverse Proxy | --- HTTPS ---> | Origin |
----------                ---------------------                ----------

This setup requirement is similar to this question except that the question uses Apache HTTPD. Is this setup possible with IIS?

Any reference link / documentation would be appreciated.

score 0 · Accepted Answer · answered Nov 20 '19 at 08:10

I'm afraid it is impossible to do mutual authentication between native ARR and origin Server without client. Because we can't find kind of ProxyCertificate Property.

You could only set IIS ARR proxy by following this link. Then client will be able to send client certificate to ARR Server and ARR will add a request header X-ARR-ClientCert to deliver client certificate to your Origin Server.

https://blogs.msdn.microsoft.com/benjaminperkins/2014/06/02/configure-application-request-routing-arr-with-client-certificates/

Then Your origin server could process authentication by handling X-ARR-ClientCert header or asp.net HttpRequest.ClientCertificate property.

https://learn.microsoft.com/en-us/azure/app-service/app-service-web-configure-tls-mutual-auth

Client Certificate Authentication between IIS reverse proxy and origin server

1 Answers1