Forum Discussion

Mike_Harpe_6170's avatar
Mike_Harpe_6170
Icon for Nimbostratus rankNimbostratus
Jan 31, 2012

DoD CAC authentication using IIS through LTM

I am working with developers and SA people to get an app that uses IIS authentication with LTM.     Basic setup is a virtual server on 443 with a cert on the front end, two servers on the back e...
app sec
BIG-IP Access Policy Manager (APM)
security
hooleylist's avatar
hooleylist
Icon for Cirrostratus rankCirrostratus
Feb 01, 2012
If you can't modify the web app to either disable the client cert requirement or parse the client cert from HTTP request headers, you could use try Proxy SSL. It's a feature added in 11.0 which allows the client and server to negotiate the SSL handshake directly. But once the handshake is complete, TMM can decrypt the SSL and inspect/modify/optimize the decrypted application traffic.

 

 

The upside is that you can handle mutual auth through LTM without modifying the client or app. The downside is that you're not offloading the SSL from the servers to LTM.

 

 

Implementing Proxy SSL on a Single BIG-IP System

 

http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-implementations-11-1-0/15.html

 

 

Make sure to use 11.1 with the latest hotfix as there have been some recent fixes.

 

 

Aaron