For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Nov 14, 2013

I agree with you but this option works for "SSL-ready" applications. In the case of non-web applications of the customer, they are not able to provide the certificate by them selves and that's the tricky part... Currently they are not authenticated thanks to the user's certificate and I need to find a way to change that.

 

The trick will always be what the client can support. To my original point, if a protocol supports SSL (ex. HTTPS, FTPS, LDAPS), the SSL is generally layered on top of the protocol. If the client then has the ability to prompt the user for a certificate, then it would be no issue on the server side (BIG-IP) to consume and validate that certificate. If the client application doesn't support prompting, or even sending a client certificate in the SSL negotiation, then there's not much you can do.

 

Wondering if webtop feature would help here... I'm imaging a web portal where the user would be SSL-authenticated and then presented a link to establish the tunnel to the protected application, could it work?

 

A webtop is just an HTML representation of a list of applications. Those applications can include portals, VPNs, links, Citrix apps, VMware desktops, and a few more things. If VPN is the route you choose, then you'll want to create an access policy that authenticates the user via browser-based logon, and then initiates the SSL VPN. From there you can open up the other applications and have free access through the tunnel.

 

Related Content