self-directed requests fail because of no certificate
Is there a way to whitelist a server so it can make requests from itself without needing to have a certificate? I use the F5 to provided CAC authentication for my site. It's a PHP server. During the setup process for the web application software we run on the server, the setup process needs to learn, test and record it's own URL and the URL of other web applications installed on the same server. These URLs are used later when generating HTML with absolute URL links in it. When the user types a URL in and submits it, the server will then make a request from that URL (where an API is waiting) to make sure it get's a valid response--verifying the URL is correct. This process fails, I'm assuming, because any requests of the server require you to have a CAC/Certificate. As such our software is unable to validate URLs. What can be done about this to allow it to work? Ideally it would be nice if the server was somehow whitelisted so it could make a self-directed request, but is there any other options?
Forwarding of X509 HTTP Header to application after termination of SSL
Hi, I'm fairly new to F5 and was wondering if there was a way to insert part of the x509::subject to the HTTP header. A regular iRule for this would look partly like this when HTTP_REQUEST { if { [SSL::cert count] > 0 } { HTTP::header insert CERTSUBJECT [X509::subject [SSL::cert 0]] } } however I would like to just get the 10 digit EDIPI 9999999999 below: Subject CN=John.D.Smith.9999999999,OU=CONTRACTOR,OU=PKI,OU=DoD,O=U.S. Is there a way to do this? Thanks J
Configuring F5 to reliably request pin when CAC card certificate selected
We have a website behind an F5 which is currently configured through an IRULE to request a CAC card certificate when a secure sub directory is requested. This works fine and when I present my email certificate is successfully reads the cert and we get the user name back in the header from the F5. This is all good so far. The issue is we do not get a pin request and we have a requirement for multi factor authentication using the CAC card. My question is what are we doing wrong such that we are never asked for the PIN? I have tried all of the certs on my CAC card as well as Chrome, IE and Firefox with no success. Thanks for any help you can provide!Preserve client IP and client certificate with SharePoint
Using x-forwarded-for preserves the client IP but interferes with Common Access Card (CAC) authentication when using AUTOmap with a Standard vs. We have switched to nPath routing for generic application servers to preserve both client IP and client certificate. How or can we preserve both the source IP and client certificate for a Sharepoint application server (2010 and 2016)? Unfortunately an inline configuration is out of the question. Look forward to suggestions or recommended reading. Sharepoint: Client (ip, CAC) <--> LTM/VIP/pool <--> Real Servers (CAC authentication) nPath: Client (ip, CAC) --> LTM/VIP/pool --> Real Servers (ip, CAC authentication) data returns to client via router
Exchange 2013 CAC authentication error
I built a node on an internal VLAN in my network that serves as my 2013 Exchange CAS. I created a Virtual server on the F5 (using the iapp.microsoft.exchange2013.v1.40) with an external IP whose pool includes the CAS node. When I access the outlook web app from an external network, I can access the email resources with a username and password just fine. When I input my cac pin I get "page cannot be displayed". When I do the same from inside my network, I can access the OWA using both login/CAC credentials. Is this an F5 routing/configuration issue or exchange 2013 configuration? My goal is to access OWA from an outside network using CAC authentication on the exchange server. I am not trying to enable CAC authentication on the F5. I set that up with the LTM alone and all that does is request my cac info, I enter my pin and authenticate, then it sends me to the OWA login/CAC request-which then fails after I enter my pin. Is it incorrect to put the virtual server on the DMZ external vlan and expect the F5 to be able to send traffic to a node on an internal vlan?