For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

AceHunter1965's avatar
AceHunter1965
Icon for Altostratus rankAltostratus
Dec 15, 2021

BIG-IP Forward Client Cert To Node

Hey all,   At our company, we have a BIG-IP cluster bridging two networks, with servers / client on both sides (we also have the AWAF module which goes over HTTP requests).   Some of our webs...
application delivery
BIG-IP
LTM
spalande's avatar
spalande
Icon for Nacreous rankNacreous
Dec 16, 2021

F5 is a full proxy. If F5 is terminating SSL on the clientside, acting as TLS server and requesting for mTLS cert from the client, only way to send the cert to the backend node is parse the cert and send it in HTTP header.

 

If the backend node, needs to have clientcert directly from the client (without F5 sending it in a header), VIP needs to be configured as TLS pass-through (either performance layer 4 or standard VIP without http and ssl profiles)

 

OR you can try proxy-ssl feature

 

https://techdocs.f5.com/en-us/bigip-16-0-0/big-ip-system-ssl-administration/implementing-proxy-ssl-on-a-single-big-ip-system.html