For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Andrew_Chan_472's avatar
Andrew_Chan_472
Icon for Nimbostratus rankNimbostratus
Jun 14, 2012

APM support for web services

I have setup APM to perform certificate authentication and use LDAP query to check the user assigned with the certificate is a valid user. The client certificate authentication comes with LTM does no...
application delivery
dev
devops
iRules
MiLK_MaN's avatar
MiLK_MaN
Icon for Nimbostratus rankNimbostratus
Jun 14, 2012
APM is obviously intended out of the box to support clients that support javascript, cookies etc.

 

 

There are definitely ways to do what you want, but it's going to be more than just bypassing the client check... you are also going to have to manually perform the cookie insertion that the APM automatically does to identify a user flow. We do this now for some of the in built iRules used for Microsoft Exchange clients like ActiveSync & Outlook Anywhere.

 

 

The basic principal in achieving this is to insert a HTTP header as such:

 

 

HTTP::header insert "clientless-mode" 1

 

 

This will force APM to bypass the logon page, and should continue with the SSL certificate check. You'll then need to form your own MRHSession cookie which is what the APM uses to track a valid user session.

 

 

Take a look at the system iRule _sys_APM_ExchangeSupport_main, which has been designed to perform this task. This uses a md5 hash of some TCL variables to form the MRHSession cookie which should be sufficient to uniquely identify the user session.