Set Up Cert Proxy for Workspace ONE Access

The cert proxy settings must be configured on the Workspace ONE Access service to manage the Android Mobile SSO requests.

Prerequisites

Setting up cert proxy is required only for on-premises deployments of Workspace ONE Access for Android Mobile SSO authentication.

Load balancer correctly configured.
Certificates uploaded to the Workspace ONE Access service.
The cert proxy service running in the Workspace ONE Access appliance.

Procedure

Log in to the Workspace ONE Access console and navigate to the Monitor > Resiliency page.
Click VA Configuration on the service node to be configured with cert proxy.
Click Mobile SSO.

Configure the Cert Proxy settings for Android Mobile SSO requests to the Workspace ONE Access service.

Option	Description
Destination Forced	When Destination Forced is selected, a single host name or IP address must be provided in the Destination text box. All Android SSO requests are sent to that destination. This destination is either the load balancer or the local host, depending on the Workspace ONE Access configuration.
Destination	If Destination Forced is enabled, enter the host name or IP address to use. If Destination Forced is not selected, enter the allow-list of approved destinations that can receive Android SSO requests. The addresses in the list can be separated by a semicolon either in CIDR format, subnet format delimited by a space, or a single IP.
Allow RemotePort Header	Enable the use of the RemotePort header from the load balancer. The source port number of the request from the proxy to the Workspace ONE Access service is added to the header. The RemotePort header is required in the connection to tell the receiving node where to call to get the certificate.
Accept RemotePort From	Enter a allow-list of approved addresses that can include the RemotePort header. The addresses in the list can be separated by a semicolon either in CIDR format, subnet format delimited by a space, or a single IP.

Verify that the hash value for the Certificate Proxy Key and the Certificate Proxy Key (Identity Manager) are the same. Check the config files cert-proxy.properties and runtime-config.properties.
These two text boxes are pre-populated with the hash value of the certificate keys of the cert proxy service and the Workspace ONE Access service.

The hashes must match. If the hashes do not match, copy the value of one service to the other in the configuration files.

Configure the cert proxy configuration for Android SSO through the Workspace ONE Access service.

Option	Description
Port	Usually two ports are configured for cert proxy. Port 5262 receives the external request from the Android device. Port 5263 receives the internal admin request from the Workspace ONE Access service.
Admin Port	If the port number configured in the Port text box is the port that receives the internal request from the Workspace ONE Access service for the certificate, enable Admin Port. The port is usually 5263. If this port is not used to receive the internal request, do not enable this radio button.
SSL Certificate Type	Android SSO cert proxy is a separate service on the Workspace ONE Access appliance. Select Passthrough to reuse the pass-through certificate provisioned for Workspace ONE Access in the Appliance Settings > Install SSL Certificates page. If a different certificate is required, select Custom and upload the certificate in the SSL Certificate Chain text box.

Option

Description

Port

Usually two ports are configured for cert proxy.

Port 5262 receives the external request from the Android device.

Port 5263 receives the internal admin request from the Workspace ONE Access service.

Admin Port

If the port number configured in the Port text box is the port that receives the internal request from the Workspace ONE Access service for the certificate, enable Admin Port. The port is usually 5263.

If this port is not used to receive the internal request, do not enable this radio button.

SSL Certificate Type

Android SSO cert proxy is a separate service on the Workspace ONE Access appliance. Select Passthrough to reuse the pass-through certificate provisioned for Workspace ONE Access in the Appliance Settings > Install SSL Certificates page. If a different certificate is required, select Custom and upload the certificate in the SSL Certificate Chain text box.

To configure another port, click Add Port and configure the settings as described in step 6.
To save the port configuration, click Save.
When you make changes on this page that affect certificates, click Restart Cert Proxy service at the top of the page.
Clicking Restart Cert Proxy service might require a restart of the Workspace ONE Access service.

What to do next

Set up the cert proxy service on each node. If cert proxy service is set up on the first appliance, when you clone the Workspace ONE Access service on the appliance, most of the proxy settings are configured. To verify that the cert proxy settings are set correctly, you can check the runtime-config.properties file.