Mutual TLS (mTLS) authentication with certificates configured on beacons and inventory device computers running the FlexNet inventory agent can be used help ensure a level of trust between beacons and inventory devices. This article describes how this may be configured using Client Certificate Mapping Authentication settings in IIS on a beacon.
There are two ways to configure Client Certificate Mapping Authentication:
Using one-to-one client certificate mappings where inventory devices have a copy of the private key of the beacon's certificate.
Using many-to-one client certificate mappings where the beacon only accepts connections from inventory devices that have certificates issued from a specific Certificate Authority.
This article is focused on the many-to-one type configuration, but the ideas described can be easily adapted to apply the one-to-one type configuration
The purpose of this solution is to ensure that only authorized inventory devices can access a beacon. This setup is based on using Client Certificate Mapping Authentication that is configured in IIS.
The following diagram shows an example high-level design of how key network communication pathways might work for a setup involving this type of configuration:
Key points illustrated in this diagram are:
A certificate is configured in the IIS web site on the beacon.
A client authentication certificate issued by the local certificate authority (CA) service is installed on each inventory device computer that the FlexNet inventory agent runs on.
It is assumed that the beacon will be hosted in a dedicated AWS VPC network. The beacon should have network access to any CA Certificate Revocation list (CRL) URLs that are specified in client certificates to protect against inventory devices with revoked or expired certificates from being able to connect to the beacon.
This diagram shows an AWS VPC environment, with an application firewall, and agents in "home offices". These aspects are illustrative examples, but not a requirement for the techniques described in this article.
Setup and configuration
The setup of this solution requires minimal changes in the IIS web site configuration on the beacon.
This solution requires:
The IIS Client Certificate Mapping Authentication role is installed on the beacon.
Appropriate client certificates are deployed to inventory device computers.
A Client and Server Authentication certificate is available for configuring on the beacon.
The certificate issuer is configured in the Trusted Root Certification Authorities store on both the beacon and all the Windows inventory device computers that are communicating with the beacon.
The following steps illustrate how IIS may be set up on the beacon for this configuration.
Install the Client and Server Authentication certificate in the Default Web Site Bindings:
Configure the SSL Settings for the Default Web Site: check the Require SSL option, and the option to Require client certificates:
Configure the IIS client certificate mapping properties:
Set the manyToOneCertificateMappingsEnabled setting to True, and open the properties of the manyToOneMappings setting:
Add Issuer as matching criteria to match client certificates that your beacon should accept. Additional Issuer and Subject criteria can be added if needed:
Additional information related to this topic can be found at the following locations: