JohnVI_45924
Jan 17, 2012Nimbostratus
OCSP and BigIp Irules for External Client Certificate Requests
I went through and found an article that talks to part of my questions, but I'm still not 100% on how to accomplish this with our current F5 setup. Im trying to set this up for client certificate revocation checking, and not for any sort of SSL setups.
I currently am bringing up OCSP service Via a Microsoft Server 208 R2 machine with the OCSP role installed. We will have 1 responder inside the network, that fetches its CRL and delta updates from obviously the CA.
In Microsofts design scenario below, they are very vague with regards to how this is accomplished..
http://technet.microsoft.com/en-us/library/cc770413%28WS.10%29.aspx
In Figure 3, Microsoft Internet Security and Acceleration (ISA) is configured as a reverse proxy located in a perimeter network (also known as DMZ, demilitarized zone, and screened subnet). The Online Responder is located in a protected local area network (LAN), while all requests are redirected by an authenticated server that is running ISA.
We don't use ISA, but do use F5. With our OCSP server being on the inside, does anyone have any insight as to how I can safely accomplish a Client to OCSP server request? OCSP travels over 80, and implementing OCSP through SSL is not an option as things WILL break. I just need to know how I can accomplish what this document is asking, using iRules and BigIP..
My main concerns are:
What direction to open, OCSP hits the responder and the OCSP responder hits the CA if it needs to for the specific request being sent by the client. So bi-directional traffic would in theory be needed for the client to send and recieve a signed OCSP response from the server..
How can I safely accomplish this using our current F5 infrastructure..
I found this but its speaking to SSL proxy, I'm using OCSP VIA a PKI, not really using it for SSL .
http://support.f5.com/kb/en-us/archived_products/big-ip/manuals/product/bigip4_5features/BIGip_OCSP.print.html