Configuring Secured (HTTPS) Web

By default, the device allows remote management (client) through HTTP and HTTPS. However, you can enforce secure Web access communication by configuring the device to accept only HTTPS requests.

By default, servers using TLS provide one-way authentication. The client is certain that the identity of the server is authentic. However, when an organizational Public Key Infrastructure (PKI) is used, two-way authentication (TLS mutual authentication) may be desired; both client and server should be authenticated using X.509 certificates. This is achieved by installing a client certificate on the management PC and loading the Certification Authority's (CA) root certificate to the device's Trusted Certificates table (certificate root store). The Trusted Root Certificate file may contain more than one CA certificate combined, using a text editor.

➢

To configure secure (HTTPS) Web access:

1.

Open the Web Settings page (Setup menu > Administration tab > Web & CLI folder > Web Settings), and then do the following.

●

From the 'Secured Web Connection (HTTPS)' drop-down list, select HTTPS Only.

●

To enable two-way authentication whereby both management client and server are authenticated using X.509 certificates, from the 'Require Client Certificates for HTTPS connection' drop-down list, select Enable.

2.

If you want to configure secured management through an Additional Management Interface (i.e., not through the default management network interface called OAMP in the IP Interfaces table), then configure an Additional Management Interface as described in Configuring Additional Management Interfaces. Assign it a TLS Context and enable it for HTTPS Only.

3.

(TLS Mutual Authentication Only) In the TLS Contexts table (see Configuring TLS Certificate Contexts), select the required TLS Context (see following note), and then click the Trusted Root Certificates link located below the table; the Trusted Certificates table appears.

4.

(TLS Mutual Authentication Only) Click the Import button, and then select the certificate file that was issued by the CA and which you want to import into the device's Trusted Root Certificates store.

5.

WAN access:

●

From the 'WAN OAMP Interface' drop-down list, select the required WAN interface type.

●

To enable WAN access to the management interface through HTTP, from the 'Allow WAN access to HTTP' drop-down list, select Enable.

●

To enable WAN access to the management interface through HTTPS, from the 'Allow WAN access to HTTPS' drop-down list, select Enable.

6.

Reset the device with a save-to-flash for your settings to take effect.

When a user connects to the secured Web interface of the device:

■

If the user has a client certificate from a CA that is listed in the device's Trusted Root Certificate file, the connection is accepted and the user is prompted for the login password.

■

If both the CA certificate and the client certificate appear in the Trusted Root Certificate file, the user is not prompted for a password. Therefore, this provides a single-sign-on experience; authentication is performed using the X.509 digital signature.

■

If the user does not have a client certificate from a listed CA or does not have a client certificate, connection is rejected.