Forum Discussion

The-messenger's avatar
The-messenger
Icon for Cirrostratus rankCirrostratus
Feb 01, 2017

Add Machine Cert Auth to APM profile

I'm currently running APM with the Exchange iapp, I've been given a requirement that machines accessing owa must have a cert issued by our internal CA. I've added the machine cert auth to my APM policy but have yet to test successfully.

 

I don't have any F5 agent installed, is this required? User accounts have permissions to read the certificate store localcomputer\My

 

Here's what I have in the access log. 2017-02-01 08:56:56 /Common/machinecert-access:Common:5c44bc1d: Received User-Agent header: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko. 2017-02-01 08:56:56 /Common/machinecert-access:Common:5c44bc1d: New session from client IP x.x.x.x (ST=Missouri/CC=US/C=NA) at VIP 10.x.xx.xxx Listener /Common/PKI-testing-vs (Reputation=Unknown) 2017-02-01 08:56:56 /Common/machinecert-access:Common:5c44bc1d: Following rule 'fallback' from item 'Start' to item 'Machine Cert Auth' 2017-02-01 08:56:56 /Common/machinecert-access:Common:5c44bc1d: MachineCert agent: ENTER Function executeInstance 2017-02-01 08:56:56 /Common/machinecert-access:Common:5c44bc1d: Executed agent '/Common/machinecert-access_act_machinecert_auth_ag', return value 0 2017-02-01 08:56:56 /Common/machinecert-access:Common:5c44bc1d: Following rule 'fallback' from item 'Machine Cert Auth' to ending 'Deny'

 

BIG-IP Access Policy Manager (APM)
machine certificate
security
  • Leonardo_Souza's avatar
    Leonardo_Souza
    Icon for Cirrocumulus rankCirrocumulus
    Feb 01, 2017

    Based in the user agent string, you are using IE11 32bits in a Windows 10 computer. That is compatible, at least with the latest version of the APM.

     

    See this link for the compatibility matrix:

     

    https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-clientcompatmatrix-12-1-2.html

     

    Read this solution and check your configuration after:

     

    https://support.f5.com/csp/article/K13614

     

    As far as I remember, you don't have to install anything for this check. Anyway, if you do, the APM would ask you to install that when you connect.

     

    If you have configured the settings correctly, this looks more a problem for the current user to access the certificate. Try to change the "Allow User Account Control right elevation prompts" to yes, if not yet, and use an admin account just to see if works.