Using APM SSL/VPN on a network with a Proxy using SSL Interception

It won't work for Citrix apps. For the Citrix Receiver to work, the cert has to match... For good reasons.

 

I'm not aware of any client-side checks that would verify the SSL certificate being used... Which is a bit of a shame since the client-side checks include things like spyware and snooping for peer-2-peer software installed... If there was a session variable that was set for the server cert you could possibly create a macro to check it... But you'd need to do this BEFORE the login page was presented (Or you're giving away the password info already). Looking at the session variable for a new connection not yet logged in, I don't see anything obvious...

 

Personally if someone was doing SSL interception on the Wifi, I would get my iPhone out and tether it. Deliberately breaking security is no security.

 

H

 

Using SSL Client Certificate authentication would detect whether a MITM proxy is in the path.

 

APM has a VPE action called "Client Cert Inspection" as well as an "On-Demand Cert Auth" VPE action, either of which should protect against MITM proxies.

 

"Client Cert Inspection" looks at the result of client cert auth by the LTM Client SSL profile where as "On-Demand Cert Auth" causes APM to do an SSL renogiation requesting the client cert in order to validate the received client certificate. The on-demand cert auth method is probably more flexible if you only want to selectively check client certificates within your access policy though. e.g. You might decide to only check client certificates based on geolocation or a whitelist of known trusted IP addresses for example.

 

Take note though that you'll need to pre-install client certificates on your clients in order to use this, which means not only managing client certs, but ensuring a secure method of deploying them to all the clients.