Force SSL authentication for non-web applications

Something with APM perhaps? The apps would all live behind a bigip, and users are required to authenticate via APM (Access Policy Manager) to gain access.

 

The actual app could then be presented by HTTP/HTTPs for standard web apps, and application tunnels or even full-blown network access via SSL VPN for the most difficult ones.

 

Sounds like fun...

 

H

 

Hi Hamish,

 

Yeah I was thinking to APM but I have to say I'm not familiar enough with this module to say 100% sure this solution will work... Application tunnels seem to be a good track. Could you please point me out where to get info about APM configuration and application tunnels?

 

Thanks for the tip.

 

If I may add, it would generally depend on the protocol. Many applications that support SSL and client certificate authentication will usually layer the SSL over the underlying protocols, so you could certainly offload the SSL and consume the client cert using a TCP-based virtual server. Doing anything intelligent with the underlying protocol itself, if required, would depend on that protocol.

 

As Hamish says, APM would be a good choice for SSL authenticating HTTP-based applications, and also SSL authenticating an SSL VPN tunnel for other applications.

 

There's some useful docs on tech.f5.com for APM. And some useful whitepapers and deployment guides too.

 

Some of them are quite long and detailed though, That may or may not be an advantage depending on how long you have to decide...

 

H

 

Thanks Hamish, thanks Kevin for your feedback and tips ;-)

 

Many applications that support SSL and client certificate authentication will usually layer the SSL over the underlying protocols, so you could certainly offload the SSL and consume the client cert using a TCP-based virtual server.

 

(Correct me if I'm wrong). I agree with you but this option works for "SSL-ready" applications. In the case of non-web applications of the customer, they are not able to provide the certificate by them selves and that's the tricky part... Currently they are not authenticated thanks to the user's certificate and I need to find a way to change that.

 

I'll try to find useful documentation in all *f5 sites.

 

Thanks again for your help.

 

Guys,

 

Wondering if webtop feature would help here... I'm imaging a web portal where the user would be SSL-authenticated and then presented a link to establish the tunnel to the protected application, could it work? Or am I missing somehting ;) ?

 

Thx.

 

I agree with you but this option works for "SSL-ready" applications. In the case of non-web applications of the customer, they are not able to provide the certificate by them selves and that's the tricky part... Currently they are not authenticated thanks to the user's certificate and I need to find a way to change that.

 

The trick will always be what the client can support. To my original point, if a protocol supports SSL (ex. HTTPS, FTPS, LDAPS), the SSL is generally layered on top of the protocol. If the client then has the ability to prompt the user for a certificate, then it would be no issue on the server side (BIG-IP) to consume and validate that certificate. If the client application doesn't support prompting, or even sending a client certificate in the SSL negotiation, then there's not much you can do.

 

Wondering if webtop feature would help here... I'm imaging a web portal where the user would be SSL-authenticated and then presented a link to establish the tunnel to the protected application, could it work?

 

A webtop is just an HTML representation of a list of applications. Those applications can include portals, VPNs, links, Citrix apps, VMware desktops, and a few more things. If VPN is the route you choose, then you'll want to create an access policy that authenticates the user via browser-based logon, and then initiates the SSL VPN. From there you can open up the other applications and have free access through the tunnel.