Forum Discussion

Chris_Denlinger's avatar
Chris_Denlinger
Icon for Nimbostratus rankNimbostratus
Apr 02, 2018

Proxy SSL to Exchange with certificate-based authentication (CBA)

Hello all.

I'm trying to use our F5 as Proxy SSL with certificate-based authentication. Basically, I want connections from the internet to connect to mymail.mydomain.com, and if the URI is correct, the SSL certificate is passed forward to the backend Exchange server backend.mydomain.com. Here's what I have:

  1. Client SSL profile, inherited from clientssl Certificate is mymail.mydomain.com Ciphers are 'DEFAULT:!ECDHE:!DHE:!DES' ProxySSL is enabled Everything else is default.

  2. Server SSL certificate, inherited from Serverssl certificate, key, and chain are all from backend.mydomain.com Ciphers are 'DEFAULT:!ECDHE:!DHE:!DES' ProxySSL is enabled

I have two iRules: one which checks the URI, and if it's correct, sets the node to backend.mydomain.com. The second captures ciphers passed, and notes what cipher is chosen, from https://devcentral.f5.com/questions/irule-to-log-ssl-cipher-version.

I am assured that IIS on the Exchange server is configured with only the following ciphers:

TLS_RSA_WITH_AES_256_GCM_SHA384

TLS_RSA_WITH_AES_128_GCM_SHA256

TLS_RSA_WITH_AES_256_CBC_SHA256

TLS_RSA_WITH_AES_128_CBC_SHA256

TLS_RSA_WITH_AES_256_CBC_SHA

TLS_RSA_WITH_AES_128_CBC_SHA

TLS_RSA_WITH_3DES_EDE_CBC_SHA

When I try to connect, I get errors like:

Rule /Common/ciphercheck_mymail : Client: [client-ip] attempts SSL with ciphers: c02c,c02b,c024,c023,c00a,c009,cca9,c030,c02f,c028,c027,c014,c013,cca8,c008,c012,009d,009c,003d,003c,0035,002f,000a
Cipher c028:5 negotiated is not supported by Proxy SSL configured in virtual server /Common/mymail.mydomain.com.app/mymail.mydomain.com_combined_https. 
Connection error: ssl_hs_pxy_scan:11515: unavailable suite (47)    
SSL Handshake failed for TCP [client-ip]:port -> [mymail-external IP]:443
SSL Handshake failed for TCP [backend.myserver-ip]:443 -> [self-IP]:port

Cipher c028 (ECDHE-RSA-AES256-SHA384) isn't in my listed set of ciphers, either on the client ssl profile or on the server ssl profile. Is there something I'm missing?

devops
exchange 2010 active sync activesync outlook web a
LTM
security
No RepliesBe the first to reply