Forum Discussion

Jim_Chapuran's avatar
Jim_Chapuran
Icon for Altostratus rankAltostratus
Apr 23, 2020

Cert-Based Authentication to the Configuration Utility While Connected to an APM VPN

I have a VPN with an access policy attached to it, and it is working great. I also set up cert-based authentication to the Configuration Utility, which works great as well. However, I would like the Utility to work while connected to the VPN and also using cert-based authentication, and this is where I'm struggling. I followed this guide to set up a Virtual Server to access the Utility while connected to the VPN:

 

https://devcentral.f5.com/s/question/0D51T00006i7dcF/cant-access-to-management-interface-after-vpn-using-apm-established

 

It works great when I am using LDAPS authentication with my AD domain (un/pw). However, I'm having trouble getting this to work with cert-based authentication. I assume it is an issue with my server/client SSL profiles and am wondering if anyone is familiar with the right setup to get this to work?

  • unfortunately that is not possible, with SSL config like that (client and server side ssl profile) the client cert wont get further then the client side profile.

     

    you could try without the SSL profiles and see if it then works, but probably not.

     

    another way would be to put the client cert on the server side profile, but that kinda defeats your client certificate authentication.

     

    proxy SSL might be an option, but you need to disable quite some ciphers

    https://support.f5.com/csp/article/K13385

     

    using a hop server is another possibility.

  • unfortunately that is not possible, with SSL config like that (client and server side ssl profile) the client cert wont get further then the client side profile.

     

    you could try without the SSL profiles and see if it then works, but probably not.

     

    another way would be to put the client cert on the server side profile, but that kinda defeats your client certificate authentication.

     

    proxy SSL might be an option, but you need to disable quite some ciphers

    https://support.f5.com/csp/article/K13385

     

    using a hop server is another possibility.

    • Jim_Chapuran's avatar
      Jim_Chapuran
      Icon for Altostratus rankAltostratus

      Thanks for the response. That is unfortunate. I guess my only follow-up is, is there any way to bypass that "security feature" Kevin Stewart alluded to in his earlier answer and use the primary IP instead of a VS?

       

      Our goal is to prevent "public" access to the console and only allow it from behind the VPN, using AD account certs. We've been able to do this with every other server and site that we run, so this is the last use of passwords for our privileged accounts - I'd really like to nix the password usage once and for all.

      • boneyard's avatar
        boneyard
        Icon for MVP rankMVP

        wasnt even aware it was security feature, always assumed more a traffic routing issue.

         

        it would be worth a support ticket for sure.

         

        next to that you might be able to some NAT construction on another device, getting the traffic to leave the BIG-IP and return from a different source IP, i would imagine that is enough to get acces.