Forum Discussion

writemike's avatar
writemike
Icon for Nimbostratus rankNimbostratus
Feb 05, 2014

Using APM SSL/VPN on a network with a Proxy using SSL Interception

We have an APM implementation using SSL/VPN with the Edge Client on our employees laptops. Could our employees connect to our APM SSL/VPN on a network with a Proxy using SSL Interception, assuming th...
BIG-IP Access Policy Manager (APM)
design
management
security
Mike_61663's avatar
Mike_61663
Icon for Cirrus rankCirrus
Feb 06, 2014

Using SSL Client Certificate authentication would detect whether a MITM proxy is in the path.

 

APM has a VPE action called "Client Cert Inspection" as well as an "On-Demand Cert Auth" VPE action, either of which should protect against MITM proxies.

 

"Client Cert Inspection" looks at the result of client cert auth by the LTM Client SSL profile where as "On-Demand Cert Auth" causes APM to do an SSL renogiation requesting the client cert in order to validate the received client certificate. The on-demand cert auth method is probably more flexible if you only want to selectively check client certificates within your access policy though. e.g. You might decide to only check client certificates based on geolocation or a whitelist of known trusted IP addresses for example.

 

Take note though that you'll need to pre-install client certificates on your clients in order to use this, which means not only managing client certs, but ensuring a secure method of deploying them to all the clients.