For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Tony_126671's avatar
Tony_126671
Icon for Nimbostratus rankNimbostratus
May 18, 2013

sccm 2012 internet based client management & LTM...

I have a question regarding the configuration of client and server authentication on the BIG-IP LTM from sccm 2012 clients that are internet based. The ports SCCM 2012 uses for client authentication are on port: 443 and there is an external URL that points to the internal SCCM server. The client has a PKI certificate that uses workstation authentication and the server has IIS with the PKI web server certificate that has the FQDNs of the external and internal server names. How would you go about setting up rules for both the server and workstation that all use the port 443? If anyone has any information on this at all I would greatly appreciate the help. If you need anymore information please let me know and I will provide it.

 

Thank you for your time.

 

microsoft
partner

6 Replies

  • Shawn_82771's avatar
    Shawn_82771
    Historic F5 Account
    May 29, 2013
    In most cases you would just make port 443 (and 8531 for SUP) available without any special rules to the internet to allow traffic between the server and client. Are you hoping to have the LTM do something else above this?
  • Tony_126671's avatar
    Tony_126671
    Icon for Nimbostratus rankNimbostratus
    Jun 20, 2013

    Our SCCM server and all of the rolls are internal, we dont want to expose the SCCM server directly to the internet so we want to have the F5 do a CRL check on the client cert then allow traffic to the sccm server any traffic that does not have a valid cert would be block and would never pass the LTM. If you need more information please let me know. Thanks

     

    • Trevor_Jones_16's avatar
      Trevor_Jones_16
      Icon for Nimbostratus rankNimbostratus
      Aug 19, 2014
      Tony, I could use some more info. Do we need to load any of the certs? My test client is getting the following error: WINHTTP_CALLBACK_STATUS_SECURE_FAILURE
  • DavidS_24861's avatar
    DavidS_24861
    Icon for Nimbostratus rankNimbostratus
    Jun 24, 2014

    Any findings on this? Had these same thoughts for our external SCCM client as well. Thanks.

     

    • scidevops_31381's avatar
      scidevops_31381
      Icon for Nimbostratus rankNimbostratus
      Mar 14, 2017

      I know this is an old post but I"m trying to implement the same thing, is this possible for remote base users?

       

    • Bill_Berry's avatar
      Bill_Berry
      Icon for Nimbostratus rankNimbostratus
      May 24, 2017

      Am trying to do the same thing, In the attempt to do SSL Bridging, Simply placing the (internally trusted) certificate with the proper externally facing CRL on the outside 443 vip, then passing it on to the inside does not work. Has anyone solved this problem. It seems a bit more complicated than described.