Forum Discussion
Using APM SSL/VPN on a network with a Proxy using SSL Interception
We have an APM implementation using SSL/VPN with the Edge Client on our employees laptops. Could our employees connect to our APM SSL/VPN on a network with a Proxy using SSL Interception, assuming they ignore the SSL Certificate message? Is their anyway for APM to identify if the SSL/VPN is going through a Proxy using SSL Interception and block it? If it can detect this, is their anyway to assign a less secure resource profile?
Thank you, -Mike
2 Replies
- Hamish
Cirrocumulus
It won't work for Citrix apps. For the Citrix Receiver to work, the cert has to match... For good reasons.
I'm not aware of any client-side checks that would verify the SSL certificate being used... Which is a bit of a shame since the client-side checks include things like spyware and snooping for peer-2-peer software installed... If there was a session variable that was set for the server cert you could possibly create a macro to check it... But you'd need to do this BEFORE the login page was presented (Or you're giving away the password info already). Looking at the session variable for a new connection not yet logged in, I don't see anything obvious...
Personally if someone was doing SSL interception on the Wifi, I would get my iPhone out and tether it. Deliberately breaking security is no security.
H
- Mike_61663
Cirrus
Using SSL Client Certificate authentication would detect whether a MITM proxy is in the path.
"Client Cert Inspection" looks at the result of client cert auth by the LTM Client SSL profile where as "On-Demand Cert Auth" causes APM to do an SSL renogiation requesting the client cert in order to validate the received client certificate. The on-demand cert auth method is probably more flexible if you only want to selectively check client certificates within your access policy though. e.g. You might decide to only check client certificates based on geolocation or a whitelist of known trusted IP addresses for example.
Take note though that you'll need to pre-install client certificates on your clients in order to use this, which means not only managing client certs, but ensuring a secure method of deploying them to all the clients.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com