Forum Discussion

James_123402's avatar
James_123402
Icon for Nimbostratus rankNimbostratus
Oct 15, 2013

irule inspecting or modifying vpn traffic

The access policy for my virtual server grants network access. The only resource on the network behind the f5 is my proxy server. I need to pass the client certificates to my proxy server in the http header. I found a rule here that is triggered by http_request that works for initial connection to the F5/virtual server. Unfortunately once the SSL tunnel comes up the irule does not see anymore http_requests. My guess is that the VPN tunnel terminates behind the virtual server interface so the irule associated with the virtual server doesn't see the traffic. Has anyone figured out how to grab client ssl certs coming down a VPN tunnel and inject them into the http header? Would an irule in a rewrite profile accomplish this? Does anyone know of a simpler was of getting my clients to my proxy other than the network resource assign?

 

application delivery
design
devops
iRules
vpn tunnel

2 Replies

Sort By
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Oct 16, 2013

    If I may add, once the SSL VPN tunnel has been established, the network access VIP will no longer respond to events, so it wouldn't generally be possible to pass an HTTP header from the network access VIP to services inside the tunnel. You could alternatively host a virtual server inside the tunnel (on the tunnel's lease pool network) that prompted for client certificate and then sent the traffic to the proxy server with an HTTP header. For that matter though, you could probably do the same without the SSL VPN tunnel.

     

    And to be clear, ProxySSL and Forward Proxy SSL are two distinct things. ProxySSL only works in a reverse proxy mode, and both work very differently.