Hi F5 community,
I’m looking for a mutual TLS (2-way TLS) reference architecture document showing flows from client via Big-IP LTM to server.
I need to have defined external client connections authenticate with a Big-IP before been handed off to an internal web server. Internal client to Big-IP then onwards to an external web server would also work (I’d just reverse the logic).
K12140946 has been useful, but I need the same with a Big-IP in the middle.
Thanks in advance.
Big IP v220.127.116.11
TLS is normally done by certificates.
So you'd need a cert on the VS and one on the client.
And you can then tell the server config to enforce the trust,
The normal issue here is managing and maintaining the certificate on the client's.
It can also be done between f5 and the web servers, as there internal and fixed that's normally a little easier!
Just make sure the certs are kept up to date otherwise they'll all die!
Normally worth renewing each certificate at last a week a part on each web server to try to manage that.
K12140946 is a good place to start. The BIG-IP is a full proxy, so the client mTLS would be terminated there (client = client, BIG-IP = server), and the the BIG-IP would initiate a completely new TLS connection to the backend server (BIG-IP = client, server = server).
As for handling mutual TLS, there are a few options: