For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

faizan123_23330's avatar
faizan123_23330
Icon for Nimbostratus rankNimbostratus
Sep 05, 2016

SSL mutual authentication against the pool

we have configured a HTTPS virtual server on the f5 and we add a proxy pass(i-rule) and client side SSL certificate against that server.   in the i rule we have configured   when HTTP_REQUE...
application delivery
BIG-IP
LTM
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Sep 06, 2016

Right, so you're going to direct (some?) traffic to this new VIP, and then direct the rest to the other VIP? So let's say you have an application at 

www.application.com

And you're aforementioned iRule uses a proxy-pass-like iRule to direct requests to different pools based on the request URI. But then for one specific URI you need to prompt for client certificate. So when the user is navigating the first app, and makes a request to this special URI, you redirect them to a second VIP, we'll call it

www.auth.application.com

in which case you have a separate VIP, on a separate IP, with DNS pointing this hostname to that IP address, and a (separate) certificate that matches the hostname.

That's if you want some requests to do client authentication. You'd probably have a similar iRule on the auth VIP that redirects to the first VIP if any of the other URIs are requested.