For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Nuruddin_Ahmed_'s avatar
Nuruddin_Ahmed_
Icon for Cirrostratus rankCirrostratus
Jul 28, 2016

Forward Proxy and Client Authentication Certificates

Hi,   we have a requirement wherein clients would want to directly authentication with backend server using client authentication certificate. I want to use forward proxy feature for this, would t...
application delivery
BIG-IP
LTM
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Jul 28, 2016

ProxySSL would only work for inbound (reverse proxy) traffic, by virtue of the requirement to possess the server's private key.

 

But to answer your question, it depends on what you mean.

 

If you're talking about simple explicit forward proxy, where the client's TLS connection is performed between the client and real server, within the TCP tunnel created by the proxy after the CONNECT request, then yes that should work. Transparent forward proxy would also work.

 

If, however, you're talking about transparent or explicit SSL Forward Proxy, wherein the F5 decrypts and re-encrypts the SSL between the client and server, then vehemently no. The only way to perform mutual PKI (client certificate) authentication is to completely bypass SSL processing at the proxy for this traffic.