DoD CAC authentication using IIS through LTM

I think you can create an IRULE who will copy the necessary data from the clientssl side into the serverssl side. So your IIS-servers will get the proper CN or whatever you need.

Perhaps these links might help?

 

 

http://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/50/aft/29075/showtab/groupforums/Default.aspx

 

 

http://devcentral.f5.com/wiki/default.aspx/iRules/InsertCertInServerHeaders.html

 

 

http://devcentral.f5.com/wiki/iRules.SSL.ashx

 

 

http://devcentral.f5.com/wiki/iRules.X509.ashx

Mike,

 

So basically you want to be able to pass a certificate from a client through the LTM to one of the servers on the back side is what I am hearing.

 

 

You are going to need to use an iRule for this and put the information into the Header for the server to read. I am doing something like this with one of our applications that runs through an ASM. Your issue is that the connection is proxied and the client certificate is not being passed from the client side of the connection to the server side of the connection.

 

 

One other thing you could do is just do the client cert auth on the LTM itself through the Client SSL profile. Again you will need an iRule if you want to check for certain CNs but it is a pretty simple iRule I am also using this logic for a couple applications I run. See reference below.

 

 

http://devcentral.f5.com/wiki/iRules.ClientCertificateCNChecking.ashx

 

If you can't modify the web app to either disable the client cert requirement or parse the client cert from HTTP request headers, you could use try Proxy SSL. It's a feature added in 11.0 which allows the client and server to negotiate the SSL handshake directly. But once the handshake is complete, TMM can decrypt the SSL and inspect/modify/optimize the decrypted application traffic.

 

 

The upside is that you can handle mutual auth through LTM without modifying the client or app. The downside is that you're not offloading the SSL from the servers to LTM.

 

 

Implementing Proxy SSL on a Single BIG-IP System

 

http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-implementations-11-1-0/15.html

 

 

Make sure to use 11.1 with the latest hotfix as there have been some recent fixes.

 

 

Aaron

So not to sidebar this conversation but you peaked my interest with the ProxySSL note. So from reading the link you provided, am I correct in assuming if I do this on a system that has ASM licensed that I can still inspect all data with that module?

 

 

Hi Mike,

 

 

That's the goal. I haven't tested it with ASM though.

 

 

You should be able to import each server cert/key into a separate server SSL profile, add the default client SSL profile, each of the server SSL profiles, an HTTP profile and an HTTP class to the VS.

 

 

If you give it a try let us know what you find. I'll do the same.

 

 

Aaron

I am going to be upgrading from 10.2.0 to 11.1 HF1 over the next month or so, and yes I do have an application that I am going to test this for. I will post a new thread and let you all know how it goes.