Proxy SSL to Exchange with certificate-based authentication (CBA)
Hello all. I'm trying to use our F5 as Proxy SSL with certificate-based authentication. Basically, I want connections from the internet to connect to mymail.mydomain.com, and if the URI is correct, the SSL certificate is passed forward to the backend Exchange server backend.mydomain.com. Here's what I have: Client SSL profile, inherited from clientssl Certificate is mymail.mydomain.com Ciphers are 'DEFAULT:!ECDHE:!DHE:!DES' ProxySSL is enabled Everything else is default. Server SSL certificate, inherited from Serverssl certificate, key, and chain are all from backend.mydomain.com Ciphers are 'DEFAULT:!ECDHE:!DHE:!DES' ProxySSL is enabled I have two iRules: one which checks the URI, and if it's correct, sets the node to backend.mydomain.com. The second captures ciphers passed, and notes what cipher is chosen, from https://devcentral.f5.com/questions/irule-to-log-ssl-cipher-version. I am assured that IIS on the Exchange server is configured with only the following ciphers: TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA When I try to connect, I get errors like: Rule /Common/ciphercheck_mymail : Client: [client-ip] attempts SSL with ciphers: c02c,c02b,c024,c023,c00a,c009,cca9,c030,c02f,c028,c027,c014,c013,cca8,c008,c012,009d,009c,003d,003c,0035,002f,000a Cipher c028:5 negotiated is not supported by Proxy SSL configured in virtual server /Common/mymail.mydomain.com.app/mymail.mydomain.com_combined_https. Connection error: ssl_hs_pxy_scan:11515: unavailable suite (47) SSL Handshake failed for TCP [client-ip]:port -> [mymail-external IP]:443 SSL Handshake failed for TCP [backend.myserver-ip]:443 -> [self-IP]:port Cipher c028 (ECDHE-RSA-AES256-SHA384) isn't in my listed set of ciphers, either on the client ssl profile or on the server ssl profile. Is there something I'm missing?
