Forum Discussion
NimbostratusSSL VPN and Machine Cert Inspection
NacreousWhat Config do you need?
You just need to enable Machine Certificate Checker Service in connectivity profile and add Machine Cert Auth in Visual policy
Keep in mind that if user does not have admin priviledges will not be able to use private key and branch Found will be followed in Machine Cert Auth.
Nimbostratusthank you for your reply. i have little experience with the F5 APM, what i did is created a VS, Access profile, Network access with lease pool, connectivity profile.
my VPE is logon page -> AD -> ressource assign (webtop, network ressource) -> allow
i am able to connect on VPN from the bigIP edge client (and from the portal). Now i need to add the machine certificate authentication on the edge client. what else should i configure in the VPE policy in order to add the machine cert authentication? and where should i upload the certificate on the F5 in order to check the validity of the machine certificate?
- Injeyan_Kostas
You first need to upload your Root CA certificate
Navigate to Local Traffic ›› Profiles ›› SSL ›› Certificate Authority, and create a new Certificate Authority profile using your Root CA certificate uploaded before.
In your APM Visual Policy, add Machine Cert Auth and select the CA profile you just created. This step ensures that the endpoint’s machine certificate is validated against your trusted CA.
Under your APM Connectivity Profile, enable the Machine Certificate Checker Service. This allows the client-side component to present the certificate during the connection process.
With these steps in place, Machine Certificate Authentication should be operational.
For more options, check this document also https://my.f5.com/manage/s/article/K13614
- Mrad
thank you, i will try it and let you know.