Forum Discussion
irule inspecting or modifying vpn traffic
The access policy for my virtual server grants network access. The only resource on the network behind the f5 is my proxy server. I need to pass the client certificates to my proxy server in the http header. I found a rule here that is triggered by http_request that works for initial connection to the F5/virtual server. Unfortunately once the SSL tunnel comes up the irule does not see anymore http_requests. My guess is that the VPN tunnel terminates behind the virtual server interface so the irule associated with the virtual server doesn't see the traffic. Has anyone figured out how to grab client ssl certs coming down a VPN tunnel and inject them into the http header? Would an irule in a rewrite profile accomplish this? Does anyone know of a simpler was of getting my clients to my proxy other than the network resource assign?
- Kevin_StewartEmployee
If I may add, once the SSL VPN tunnel has been established, the network access VIP will no longer respond to events, so it wouldn't generally be possible to pass an HTTP header from the network access VIP to services inside the tunnel. You could alternatively host a virtual server inside the tunnel (on the tunnel's lease pool network) that prompted for client certificate and then sent the traffic to the proxy server with an HTTP header. For that matter though, you could probably do the same without the SSL VPN tunnel.
And to be clear, ProxySSL and Forward Proxy SSL are two distinct things. ProxySSL only works in a reverse proxy mode, and both work very differently.
- What_Lies_Bene1Cirrostratus
I'd imagine the ProxySSL (forward proxy) feature might meet your requirements if you can obtain the cert and key used to secure the SSL tunnel. See here for more information: http://support.f5.com/kb/en-us/solutions/public/13000/300/sol13385.html.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com