For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Ward_Delcomyn_9's avatar
Ward_Delcomyn_9
Icon for Nimbostratus rankNimbostratus
Feb 15, 2016

Per-App-VPN using Kerberos Constrained Delegation and Protocol Transition...HELP!

First a picture of what I'm trying to do:   Now for a brief description: We are trying to implement per-app-vpn (AIRWATCH). We stood up a "VPN only" BigIp appliance "VPN1" that hosts the vpn ...
application delivery
BIG-IP Access Policy Manager (APM)
security
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Feb 16, 2016

The APM SSO process is going to end with the production of a Kerberos service ticket (AP_REQ) embedded in an HTTP request Authorization header, and that header is going to come from the device that performs the rest of the Kerberos negotiation. It's not impossible to do of course, but an SSL VPN generally doesn't perform SSO functions. The initiation of the VPN is the end state. What you'd need to do is to transmit the user's information to a separate access policy, potentially even the internal device, and then let it do the Kerberos SSO.