Forum Discussion
CirrostratusIvanti MDM Core & F5 LTM/ASM with mTLS
Folks,
One of our customers uses Ivanti MDM to manage mobile phones, both IOS & Android. Recently, due to a requirement, we have decided to place an F5 BIG-IP in front of the MDM Core server, which is located in the DMZ.
Ivanti has a few sets of URIs. One set does not require enabling mTLS. On the other hand, the second set requires mTLS on the client side of the BIG-IP full proxy.
Has anybody seen or done this before? Has anybody implemented an MDM behind LTM/ASM (not It functions more like a MITM than just a TCP load balancer)
What is the recommended approach?
Any advice or recommendations are greatly appreciated.
Appliance: BIG-IP Tenant on r4600
TMOS: 16.x
1 Reply
- Torijori_Yamamada
Cirrus
Hello,
In a siletly different scenario, we have enabled mTLS for a a couple of URI on the client side. But the service behind the F5 did not ask us to provide client cert and they just needed to know the CN field of the client cert. So, we populated an HTTP header with the CN field from the client cert and used it as message carrier to the backend.
If the Ivanti needs to see actual client cert, you can implement C3D (Client Certificate Constrained Delegation) on F5 to be able to provide when Ivanti service ask.
https://my.f5.com/manage/s/article/K72668381
https://my.f5.com/manage/s/article/K14065425
