For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Tabish_Mirza_12's avatar
Tabish_Mirza_12
Icon for Nimbostratus rankNimbostratus
Apr 14, 2016

SSO server not working when applying default http profile for ASM

Hi Folks,

 

I am in process to apply ASM security policies to our VS running on BIG-IP LTM + ASM version 11.6. I have successfully applied the ASM security policy (Staging/Transparent) to all VS except SSO server (Linux server running Spring Framework Tomcat). On SSO server (VS) I can see that there is no http profile applied, so I apply the default http profile with it as it's required for ASM. When I attached the http profile to the VS (SSO server), VS stop working & when I removed the http profile it started working. Please advise what need to be enable or disable under http profile, so SSO server (VS) works as it is required for ASM security policy.

 

Thanks

 

ASM Advanced WAF
security

2 Replies

  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    Apr 14, 2016

    Sounds like the SSO server is not using HTTP traffic, hence by adding the HTTP profile it's breaking. Simplistically, ASM is protecting against HTTP attacks, so if the VIP is not HTTP aware then no ASM policy will be required. There's no way of assigning an ASM policy to a non-HTTP VIP I'm afraid.

     

  • Jason_Meurer_39's avatar
    Jason_Meurer_39
    Historic F5 Account
    Apr 19, 2016

    Assuming you have SSL in play here, did you also attach a client SSL profile to the SSO VIP? ASM needs both an HTTP and SSL profiles on 443 VIPs. Now this might drive to another question of if the SSO VIP is performing client certificate authentication which cannot be SSL offloaded. You would need to look at APM to duplicate that behavior or SSL Proxying to maintain the client certificate authentication and still leverage ASM.