Secure your VMware Web Proxy access with Okta

Overview / Prerequisites

In this blog I want to guide you through the process how we can integrate Okta as the IdP with VMware Web Proxy and how the User Experience looks .
I will not cover how to create a Security Policy on the VMware side, but you can read this basic steps in my personal blog.

The VMware Cloud Web Security (CWS) Web Proxy is designed to enable the standalone consumption of CWS without the need for VMware SD-WAN or VMware Secure Access (SA). Any device with a modern browser that can support a network proxy configuration, either manually or automatically through a proxy auto-config (PAC) file, can have its Web traffic redirected to CWS for security inspection.
You can read here more about this.

We need to have the following in place

  • Okta SAML Provider Configuration
  • VMware standalone Cloud Web Security Configuration
  • Client/Host configuration with the SSL Termination Certificate and the Web Proxy URL

Create Okta SAML App

First we will create an new Application on the Okta side, we need to log into the Okta Admin Portal and in the left navigation menu select
Applications –> Applications

Select Create App Integration

Select SAML 2.0 and click Next afterwards

In the General Settings section, create a name for the app, add a nice logo for it (optional), do not display it to the users and click Next

Fill in the following fields:

Scroll down and click Next

In this section we need to select:

  • “I’m and Okta customer adding and internal app”
  • “This is an internal app that we have created”
  • Click Finish

In the next step we need to navigate to the Sign On Tab

scroll down to the SAML Signing Certificates

Next to the Active certificate, select Actions, then select the View IdP metadata and select Download certificate and save it to a local folder.

Navigate to the Assignment tab and assign the People or Groups to our Application

Configure Authentication (SSO)

In the next part we will configure the Single Sign On Authentication on VMware side.

Logged in into the SASE Orchestrator, select the SD-WAN dropdown and select Cloud Web Security

Select Configure and then Authentication

Toggle the Single Sign On to Enabled, selecet Yes and pick Okta as the SAML Provider

Enter in the SAML 2.0 Endpoint and the Service Identifier (Issuer), you get can this information from the metadata xml from the previous step. (Create Okta SAML App)

In the Domain field fill in your Domain (e.g. yourdomain.com) as this setting is used to identify the Enterprise Users (user@domain) to send the authentication request to Okta.

Now we need to scroll down to the X.509 Certificate Section, click Add/Edit Certificate

Locate the certificate that we’ve downloaded during the SAML App Creation and paste in the data and Save the settings.

By pressing Web Proxy option in the menu bar we get to the corresponding menu

Toggle Enable Web Proxy to Active, select a Cloud Web Security Policy
(here you can read how to create a basic one) and save your Settings.
Write down the Proxy URL as we will need this one for the Host configuration.

Client Configuration

In the last part we will look at the host configuration, in order to use the Cloud Proxy functionality we need the SSL Termination Certificate and the Proxy URL.
In an enterprise setup would roll out both the certificate and the client proxy configuration via e.g. a MDM solution.

We can download the certificate via SSL Termination menu

and import this one into the Truster Root Certificate Authorities of the clients

The Web Proxy URL and the Port need to be fill in here

Demo

Finally let’s have a look on a short demo how it looks like from a user perspective.
I will leverage Okta FastPass, this setup process has been really well documented
https://help.okta.com/oie/en-us/Content/Topics/identity-engine/devices/fp/fp-configure.htm.

Okta VMware Web Proxy Access

Leave a Reply