For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Jibinpv's avatar
Jibinpv
Icon for Nimbostratus rankNimbostratus
Jan 16, 2017

Mutual Authentication

Hi Team,   Im having a scenario where a Mutual Authentication to be enabled for the customers connecting to the environment. Here We have only one virtual server having multiple customers connects...
application delivery
LTM
Hannes_Rapp's avatar
Hannes_Rapp
Icon for Nimbostratus rankNimbostratus
Jan 16, 2017

TLS handshake is lower in the stack - it takes place before you can check for the value of HTTP path your client has requested. This means with the use of One Virtual Server, you either apply mutual auth to everyone, or noone. Possible iRule workarounds may be possible with TLS invalidation and forced re-negotiation, but it gets pretty dirty and unmanageable.

 

To help you move forward, I recommend you create 2 Virtual Servers

 

  • Opt 1. New Destination IP, new DNS name, mutual-auth enabled (Cleanest)
  • Opt 2. Alternatively, re-use the existing Destination IP and DNS name. For that, you must create a duplicate VS configuration with same destination IP and port, but with a different Source Address value. Closer-match VS will get the hit so two Virtual Servers with the same IP and Port combination can work. This solution is OK for one exception, but you would have to create a new Virtual Server for every new client (imo, not as clean or scalable as 1)