Forum Discussion
Kevin_Stewart
Sep 10, 2012Employee
The biggest problem is going to be ProxySSL. It needs a clear unobstructed path to the back end server and as such doesn't play well with others. I looked at integrating ProxySSL and SNI (to switch SSL profiles based on TCP negotiation) and ProxySSL breaks that.
I'd say at this point, if the single IP is a hard requirement, that you look at ways to send alternative information to the registration server and terminate the SSL at the BIG-IP. iRules have full access to the X509 data, so it's fairly trivial to send the entire certificate base64 encoded, or some specific attribute like the cert UPN (EDIPI@mil), in an HTTP header or other form. Also consider that in most cases it's not the application that is requesting the certificate, but rather the web server during SSL negotiation, so it should be straightforward to make the application consume that certificate information via an alternate "channel" - from a TRUSTED proxy.