Forum Discussion

Azzeddine_S's avatar
Azzeddine_S
Icon for Cirrus rankCirrus
Jun 22, 2023

F5 APM Check Domain Membership

Hi all,

When it comes to validate a computer before give access to the corporate network it seems obvious and mandatory to check if it is part of the active directory, the way it is done on F5 APM through the VPE is to check whether or not a the following windows registry key is present and valid :

"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters"."Domain"="example.F5.com"

Source :

https://my.f5.com/manage/s/article/K93754211

This method does the job but in risky way; anybody can mimic this value and get access to the internal resources with personal devices to exfiltrate / leak / steal data which is for some organisation a very big deal.

More dangerous , these devices could be compromised .....

The question is is there any non fakable way (it should exist) to validate if a computer is a member of a domain.

Thanks a lot for all of you

security

3 Replies

Sort By
    • Azzeddine_S's avatar
      Azzeddine_S
      Icon for Cirrus rankCirrus
      Jul 03, 2023

      Hi Whisperer,

      First thanks for your reply and help.

      I am also following that way to secure the access by creating a lab as follows :


                                                                                                              ----------- Server-01
      Client PC ----------- Router ----------- BIG-IP-VE ----------- Router
                                                                       |                                     ----------- Server-02
                                                                       |
                                                                       |
                                                         Active Directory
                                                                 with CA

      Client PC: Windows 10

      Routers : VyOS

      BIG-IP: Version 17.x

      Servers : Rocky Linux with Apache

      Active directory : Windows Server 2022

       

      but i could not find a good documentation about how to integrate the BIG-IP with the CA.

      have you ever succeded to doit?
      if so do you have any documentation to share

      thanks in advance.

  • McKinley's avatar
    McKinley
    Icon for Nimbostratus rankNimbostratus
    Jul 03, 2023

    To disable TLSv1.0 and TLSv1.1 for the device SSL certificate on an F5 device, you can follow these steps:

    Access the F5 device's command-line interface (CLI) using SSH or console access.

    Log in with appropriate administrative credentials.

    Once logged in, enter the following command to access the device's configuration utility:

    tmsh

    Next, run the following command to modify the device certificate's SSL profile:

    modify sys ssl-cert <certificate-name> defaults-from <existing-ssl-profile>

    Replace <certificate-name> with the name of the device certificate you want to modify, and <existing-ssl-profile> with the name of the SSL profile from which you want to inherit settings. This could be an existing SSL profile or a custom SSL profile you have previously created.

    After executing the previous command, you will be in the context of the modified certificate. Run the following command to access the SSL profile associated with the certificate:

    modify sys ssl-cert <certificate-name> cert-key-chain cert-key-list <cert-key-list-name> profile

    Replace <cert-key-list-name> with the name of the certificate key list associated with the device certificate.

    Finally, run the following command to disable TLSv1.0 and TLSv1.1 for the device certificate:

    modify sys ssl-cert <certificate-name> cert-key-chain cert-key-list <cert-key-list-name> ciphers <ciphers>

    Replace <ciphers> with the list of ciphers you want to use for the device certificate, excluding the ones that support TLSv1.0 and TLSv1.1. You can specify a comma-separated list of ciphers.

    For example, a sample command to disable TLSv1.0 and TLSv1.1 and enable only TLSv1.2 and TLSv1.3 might look like this:

    modify sys ssl-cert <certificate-name> cert-key-chain cert-key-list <cert-key-list-name> ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256"

    Save the changes and exit the CLI.                                   YourTexasBenefits Login

    By following these steps, you can disable TLSv1.0 and TLSv1.1 for the device SSL certificate on your F5 device. Remember to replace the placeholder values with the appropriate names and settings for your specific environment.