APM Features without Session Cookies

Question

Dear All,I have implemented an application proxy in LTM that uses an iRule along with old&nbsp;Advanced Client Authentication (ACA) features to perform OCSP checks for certificate-based authentication as a fall-back for requests from un-authorised IP addresses.The reason for an iRule and the old PAM-based authentication is that several of the services that are using the proxy cannot handle/present session cookies. My original implementation was built using APM, which made the whole solution much easier to configure. This worked like a dream for browser access and some command-line clients that could handle cookies. However access failed for client connections that couldn't handle cookies.&nbsp;I would love to use APM to replace the existing access rule, especially as old posts like the one below, suggest that the ACA features are likely to be removed at some point:&nbsp;https://community.f5.com/t5/technical-forum/ocsp-responders-and-configuration-profiles/td-p/44608&nbsp;Is there any way to use APM based features, such as OCSP Reponder authentication, either natively or from within an iRule, without APM session cookie requirements? Or is APM limited to connections that can handle cookies?Any advice gratefully received.

nikoolayy1 · Answer

Newer than the clientless mode that Juergen_Mang&nbsp; mentioned is the API protection profile that utilized F5 APM per-request policies that do not need a session:
&nbsp;
https://www.youtube.com/watch?v=-2ndGH9Dp1Q
&nbsp;
https://techdocs.f5.com/en-us/bigip-16-0-0/big-ip-access-policy-manager-api-protection/api-protection-use-cases.html
https://clouddocs.f5.com/training/community/access-solutions/solution13/guide/guide.html
&nbsp;

juergen_mang · Answer

&gt; Newer than the clientless mode that @Juergen_Mang&nbsp; mentioned is the API protection profile that utilized F5 APM per-request policies that do not need a session
IF there is no requirement for a session, the API protection profile is indeed the better attempt.

juergen_mang · Answer

You can trie to use the clientless mode of apm: https://my.f5.com/manage/s/article/K80934060#link_06

barny_riches · Answer

Thank you Juergen, that's perfect, just the kind of guidance I needed. I will take a look at clientless mode to see if I can migrate my current configuration back to using APM.

barny_riches · Answer

Thank you both for your responses and guidance. I will see if an API protection profile will be suitable for my needs and if not, I will run some tests using APM in clientless mode, which I had never heard of previously. I appreciate both suggestions, thank you again

Forum Discussion

APM Features without Session Cookies

5 Replies

Recent Discussions

ASM instance creation

[ASM] - what is "Browser Challange file" ?

[ASM] - HTML5 Cross-Domain Request Enforcement - CLI command

Reverse Proxy Not Behaving

Stable Firmware for F5

Related Content

DevCentral's Featured Member for February - Edouard Zorrilla

Introducing Secure MCN features on F5 Distributed Cloud

DevCentral's Featured Member for March - Thomas Dahlmann

DevCentral's Featured Member for April - Mihai Cziraki

DevCentral's Featured Member for December - Mohamed Kansoh