APM Features without Session Cookies

Question

Dear All,I have implemented an application proxy in LTM that uses an iRule along with old&nbsp;Advanced Client Authentication (ACA) features to perform OCSP checks for certificate-based authentication as a fall-back for requests from un-authorised IP addresses.The reason for an iRule and the old PAM-based authentication is that several of the services that are using the proxy cannot handle/present session cookies. My original implementation was built using APM, which made the whole solution much easier to configure. This worked like a dream for browser access and some command-line clients that could handle cookies. However access failed for client connections that couldn't handle cookies.&nbsp;I would love to use APM to replace the existing access rule, especially as old posts like the one below, suggest that the ACA features are likely to be removed at some point:&nbsp;https://community.f5.com/t5/technical-forum/ocsp-responders-and-configuration-profiles/td-p/44608&nbsp;Is there any way to use APM based features, such as OCSP Reponder authentication, either natively or from within an iRule, without APM session cookie requirements? Or is APM limited to connections that can handle cookies?Any advice gratefully received.

nikoolayy1 · Answer

Newer than the clientless mode that Juergen_Mang&nbsp; mentioned is the API protection profile that utilized F5 APM per-request policies that do not need a session:
&nbsp;
https://www.youtube.com/watch?v=-2ndGH9Dp1Q
&nbsp;
https://techdocs.f5.com/en-us/bigip-16-0-0/big-ip-access-policy-manager-api-protection/api-protection-use-cases.html
https://clouddocs.f5.com/training/community/access-solutions/solution13/guide/guide.html
&nbsp;

juergen_mang · Answer

&gt; Newer than the clientless mode that @Juergen_Mang&nbsp; mentioned is the API protection profile that utilized F5 APM per-request policies that do not need a session
IF there is no requirement for a session, the API protection profile is indeed the better attempt.

barny_riches · Answer

Thank you both for your responses and guidance. I will see if an API protection profile will be suitable for my needs and if not, I will run some tests using APM in clientless mode, which I had never heard of previously. I appreciate both suggestions, thank you again

juergen_mang · Answer

You can trie to use the clientless mode of apm: https://my.f5.com/manage/s/article/K80934060#link_06

barny_riches · Answer

Thank you Juergen, that's perfect, just the kind of guidance I needed. I will take a look at clientless mode to see if I can migrate my current configuration back to using APM.

Forum Discussion

APM Features without Session Cookies

Recent Discussions

self-directed requests fail because of no certificate

Decode ObjectSID from Base64-encode string

iRule - Url rewrite and header replace and pool selection not working

ip x-forwarding

F5 ASM API-Protection Policy

Related Content

Experience the power of F5 NGINX One with feature demos

Cyber Security Attack Mitigations with BIG-IP features

DevCentral's Featured Member for February - Edouard Zorrilla

DevCentral's Featured Member for March - Thomas Dahlmann

DevCentral's Featured Member for April - Mihai Cziraki

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS