Mutual TLS (mTLS) authentication with certificates configured on beacons and inventory device computers running the FlexNet inventory agent can be used to help ensure a level of trust between beacons and inventory devices. This article describes how this may be configured using Client Certificate Mapping Authentication settings in IIS on a beacon.
There are two ways to configure Client Certificate Mapping Authentication:
- Using one-to-one client certificate mappings where inventory devices have a copy of the private key of the beacon's certificate.
- Using many-to-one client certificate mappings where the beacon only accepts connections from inventory devices that have certificates issued from a specific Certificate Authority.
This article is focused on the many-to-one type configuration, but the ideas described can be easily adapted to apply the one-to-one type configuration
Configuration overview
This solution ensures that only authorized inventory devices can access a beacon. This setup uses Client Certificate Mapping Authentication configured in IIS.
The following diagram shows an example high-level design of how key network communication pathways might work for a setup involving this type of configuration:
Key points illustrated in this diagram are:
- A certificate is configured on the IIS website on the beacon.
- A client authentication certificate issued by the local certificate authority (CA) service is installed on each inventory device computer that the FlexNet inventory agent runs on.
- It's assumed that the beacon will be hosted in a dedicated AWS VPC network. The beacon should
have network access to any CA Certificate Revocation list (CRL) URLs that are specified in client certificates to protect against inventory devices with revoked or expired certificates from being able to connect to the beacon.
- This diagram shows an AWS VPC environment with an application firewall and agents in "home offices." These aspects are illustrative examples, not a requirement for the techniques described in this article.
Setup and configuration
The setup of this solution requires minimal changes in the IIS website configuration on the beacon.
Prerequisites
This solution requires:
- The IIS Client Certificate Mapping Authentication role is installed on the beacon.
- Appropriate client certificates are deployed to inventory device computers.
- A Client and Server Authentication certificate is available for configuring on the beacon.
- The certificate issuer is configured in the Trusted Root Certification Authorities store on both the
beacon and all the Windows inventory device computers that are communicating with the beacon.
IIS configuration
The following steps illustrate how IIS may be set up on the beacon for this configuration.
- Install the Client and Server Authentication certificate in the Default Web Site Bindings:
- Configure the SSL Settings for the Default Web Site: check the Require SSL option and the option to Require client certificates.
- Configure the IIS client certificate mapping properties.
- Set the manyToOneCertificateMappingsEnabled setting to True and open the properties of the manyToOneMappings setting.
- Add Issuer as matching criteria to match client certificates that your beacon should accept. Additional Issuer and Subject criteria can be added if needed.
Learn more
Additional information related to this topic can be found at the following locations.
- FlexNet Manager Suite documentation:
- FlexNet Manager Suite knowledge base:
- IIS documentation: