Client Certificate Based Authentication with Websense

The answer is definitively yes, but the details depend on how WebSense expects to receive this information. With a standard VIP, client SSL profile, and an iRule, you can use LTM to first request, then validate a client certificate, and then send the X509 data to the back end server. In the absence of a more robust single sign-on mechanism though, capabilities that APM provides, you're mostly limited to sending the data in the layer 7 stream (ex. HTTP headers). I wouldn't discount this method however. Given that the F5 is a "trusted proxy" between users and servers, that the communication from client to F5 and (optionally) F5 to server is also SSL, and that not one single client side packet reaches the server until the F5 has properly validated the client's certificate, it's usually a reasonably simple modification to a server application to consume HTTP headers in place of more traditional inputs.