The SSL Proxy, in forward proxy deployments, can specify whether a client certificate is required. These certificates are used for user consent, not for authentication. Whether they are needed depends upon local privacy laws.
With client consent certificates, each user is issued a pair of certificates with the corresponding private keys. Both certificates have a meaningful user-readable string in the common name field. One certificate has a string that indicates grant of consent something like: Yes, I agree to SSL interception. The other certificate has a common name indicating denial of consent, something like: No, I do not agree to SSL interception.
Policy is installed on the ProxySG to look for these common names and to allow or deny actions. For example, when the string Yes, I agree to SSL interception is seen in the client certificate common name, the connection is allowed; otherwise, it is denied.
To Configure Client Consent Certificates:
- Install the issuer of the client consent certificates as a CA certificate.
- In VPM, configure the Require Client Certificate object in the Action column of the SSL Layer.
- Configure the Client Certificate object in the Source column to match common names.