For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Mark_22062's avatar
Mark_22062
Icon for Nimbostratus rankNimbostratus
Feb 21, 2014

Websense iApp Kerberos Config

I have deployed the Devcentral supplied Websense Content Gateway Assistant iApp to load balance our outbound internet traffic. This all seems to work quite well, but we've noticed that rather than u...
application delivery
deployment
devops
iApps
LTM
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Feb 24, 2014

If I may add, I haven't seen the resulting config, but given that the documentation doesn't mention APM (or ACA) I have to assume Kerberos is performed in pass through. That means that the client is likely still making the initial Kerberos request and passing the ticket through the F5 to Websense. That should work, but the address that the client uses to access the F5 VIP must be the same name they would otherwise use to access Websense directly. Kerberos is highly dependent on names (service principal names), and a browser will make a request to the KDC based on the name used to access the resource. This all ties back to encryption keys that are defined by specific SPNs. If you look at a network capture (Wireshark is best for this) you'll probably see the client either try and fail to get a Kerberos ticket and then fail over to NTLM, or pass a Kerberos ticket (but with the wrong SPN/key) and subsequently get a 401 response from Websense telling it to use NTLM.