Forwarding of X509 HTTP Header to application after termination of SSL
Hi, I'm fairly new to F5 and was wondering if there was a way to insert part of the x509::subject to the HTTP header. A regular iRule for this would look partly like this when HTTP_REQUEST { if { [SSL::cert count] > 0 } { HTTP::header insert CERTSUBJECT [X509::subject [SSL::cert 0]] } } however I would like to just get the 10 digit EDIPI 9999999999 below: Subject CN=John.D.Smith.9999999999,OU=CONTRACTOR,OU=PKI,OU=DoD,O=U.S. Is there a way to do this? Thanks J
Configuring F5 to reliably request pin when CAC card certificate selected
We have a website behind an F5 which is currently configured through an IRULE to request a CAC card certificate when a secure sub directory is requested. This works fine and when I present my email certificate is successfully reads the cert and we get the user name back in the header from the F5. This is all good so far. The issue is we do not get a pin request and we have a requirement for multi factor authentication using the CAC card. My question is what are we doing wrong such that we are never asked for the PIN? I have tried all of the certs on my CAC card as well as Chrome, IE and Firefox with no success. Thanks for any help you can provide!
Preserve client IP and client certificate with SharePoint
Using x-forwarded-for preserves the client IP but interferes with Common Access Card (CAC) authentication when using AUTOmap with a Standard vs. We have switched to nPath routing for generic application servers to preserve both client IP and client certificate. How or can we preserve both the source IP and client certificate for a Sharepoint application server (2010 and 2016)? Unfortunately an inline configuration is out of the question. Look forward to suggestions or recommended reading. Sharepoint: Client (ip, CAC) <--> LTM/VIP/pool <--> Real Servers (CAC authentication) nPath: Client (ip, CAC) --> LTM/VIP/pool --> Real Servers (ip, CAC authentication) data returns to client via router
Exchange 2013 CAC authentication error
I built a node on an internal VLAN in my network that serves as my 2013 Exchange CAS. I created a Virtual server on the F5 (using the iapp.microsoft.exchange2013.v1.40) with an external IP whose pool includes the CAS node. When I access the outlook web app from an external network, I can access the email resources with a username and password just fine. When I input my cac pin I get "page cannot be displayed". When I do the same from inside my network, I can access the OWA using both login/CAC credentials. Is this an F5 routing/configuration issue or exchange 2013 configuration? My goal is to access OWA from an outside network using CAC authentication on the exchange server. I am not trying to enable CAC authentication on the F5. I set that up with the LTM alone and all that does is request my cac info, I enter my pin and authenticate, then it sends me to the OWA login/CAC request-which then fails after I enter my pin. Is it incorrect to put the virtual server on the DMZ external vlan and expect the F5 to be able to send traffic to a node on an internal vlan?