Client Authentication with Proxy SSL

Question

Hello - i have the following setup&nbsp;Virtual server on the F5 without Client SSL or server ssl profiles - which passes web traffic to the backend iis server.the IIS server is configured to require the client certificate for Client Authentication.&nbsp;Question - if i configure client ssl and server ssl on F5 with Proxy ssl enabled - will the F5 pass the clients certificate to the backend IIS server?Thanks&nbsp;

keesvandenbos · Answer

Hi,Yes it will.https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-ssl-administration-11-5-0/13.htmlDoes explain the setup.Cheers,Kees&nbsp;

awan_m · Answer

Thanks - i will test it out and update this .

kevin_stewart · Answer

To be clear, there are generally two options for allowing mutual TLS to pass through the BIG-IP, with client/server SSL profiles applied:

ProxySSL - as described above. But note, ProxySSL can only work with non-perfect-forward-secret handshakes. That means it only works with RSA handshakes, and never with ECC, DHE, ECDHE, ECDH, etc. And since RSA handshakes have been mostly deprecated by all modern browsers, this option isn't terribly useful unless you control the browsers and are willing to force significantly weaker encryption.
Client Cert Constrained Delegation (C3D) - https://my.f5.com/manage/s/article/K14065425. This is the modern way to handle the requested scenario, and works with TLS1.3 and below with modern ciphers.&nbsp;

awan_m · Answer

C3D method would require provisioning / licensing of ssl Orchestrator - which i do not have licensed on my F5

kevin_stewart · Answer

Definitely not. C3D is a function of LTM.
SSLO is not needed to use C3D.

Forum Discussion

Client Authentication with Proxy SSL

Recent Discussions

Outlook application issue

Why does WAF block HTTP OPTION method

Rewriting Location Header in iRule

HA Configuration (One in primary and One in DR)

Sending a trusted certificate to server

Related Content

Duo Authentication Proxies

Integrating SSL Orchestrator with McAfee Web Gateway-Transparent Proxy

NTLM Authenticated Proxy External Monitor

unauthenticated or authenticated FTP proxy

SSL PROXY