APM OCSP check via corporate proxy
Hi,
I am checking the revocation status of client certificates in APM using OCSP Auth Agent.
I have a AAA Server -> OCSP Responder configured with .
I have a host entry and static route configured, our corporate L4 firewall facing the internet is allowing this connection towards OCSP IP address.
This works fine until the IP of the OCSP server suddenly changes. Then the OCSP check does not work anymore and I need to update the host entry, routing entry and firewall rule with the new destination IP address.
This is an ugly solution and I was thinking I can let APM contacting the OCSP via the system proxy. Just the same way as, for example, I am using the system proxy to update ASM signatures with the system proxy.
In order to test it, I did the necessary config of the /sys db proxy.* values (as we are on 12.1.2). I am pretty sure the config is correct. I removed the host entry and routing entry. But I can see that the APM still tries to avoid the proxy and send the OCSP HTTP requests directly. And of course this is failing now as there is no host and route entry in place.
Why is the system proxy not being used by APM to route the OCSP requests out to the internet?
And how can I achieve this to work? Proxy is really my only option for a robust solution because our corporate firewalls are L4 only, and the OCSP IP address is changing quite frequently.
I saw this post from Kevin: https://devcentral.f5.com/articles/ocsp-through-an-outbound-explicit-proxy-29026, from which I understood that it indeed is not possible to use system proxy for OCSP calls. But why is that? Isn't it strange to have a system proxy available but not being able to use it for such obvious action?
And where could I find the iRule Kevin was referring to at the beginning of the article ("simple VIP and iRule that "proxifies" an outbound OCSP HTTP request")? I couldn't find this previous article he was referring to.
Thanks, Martin