For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

w-reseau_282897's avatar
w-reseau_282897
Icon for Nimbostratus rankNimbostratus
Aug 10, 2016
Solved

Two factor authentication with two different APM in the same SSL session of the first F5

Hi,

 

I want to dissociate authentication into two F5, one in front of internet and the other in a DMZ.

 

Actually, I've one F5 in DMZ internet and it make compliance, certificate check and AD account to terminate with a SSL VPN tunnel.

 

I try to use many possibility with irule, to stop http protocol or redirect to another virtual, but I need that the SSL session that be aware about the traffic of the second F5.

 

Do i need to make a tunnel or tcp forwarding in the actual SSL session of the first F5?

 

Thx a lot Emmanuel

 

application delivery
BIG-IP Access Policy Manager (APM)
  • Lucas_Thompson_'s avatar
    Lucas_Thompson_
    Aug 11, 2016

    Could you describe your issue more clearly? What problem are you trying to solve?

     

    APM tracks user sessions by "MRHSession" session cookie.

     

    APM is also aware that VPN (Network Access) traffic through it is always part of a already-existing user session. So it is impossible to create a VPN tunnel, then log in again to the same APM box with different user credentials.

     

4 Replies

  • w-reseau_282897's avatar
    w-reseau_282897
    Icon for Nimbostratus rankNimbostratus
    Aug 10, 2016

    Oups sorry, I make a error in the text :

     

    I need that the first F5 don't be aware of the traffic of the second F5 in the SSL session.

     

    Remember that the second F5 have a portal APM too.

     

    Thx Emmanuel

     

  • Lucas_Thompson_'s avatar
    Lucas_Thompson_
    Historic F5 Account
    Aug 11, 2016

    Could you describe your issue more clearly? What problem are you trying to solve?

     

    APM tracks user sessions by "MRHSession" session cookie.

     

    APM is also aware that VPN (Network Access) traffic through it is always part of a already-existing user session. So it is impossible to create a VPN tunnel, then log in again to the same APM box with different user credentials.

     

    • w-reseau_282897's avatar
      w-reseau_282897
      Icon for Nimbostratus rankNimbostratus
      Aug 12, 2016

      Hi Lucas,

       

      I've one F5 in front of Internet with an APM to authenticate with compliance and third party code.

       

      Then I want to initiate a new ssl connection to a second F5 with an APM that it check AD account and then mount a network access tunnel.

       

      But we're always on the first F5 in front of internet in the same ssl session and i don't know that this F5 can decrypt or know the AD account of the user when the second F5 ask it.

       

      Regards Emmanuel

       

    • boneyard's avatar
      boneyard
      Icon for MVP rankMVP
      Aug 13, 2016

      so are you ok with the second APM showing another login page, or do you expect it to know somehow?