NimbostratusProxy SSL to Exchange with certificate-based authentication (CBA)
Hello all.
I'm trying to use our F5 as Proxy SSL with certificate-based authentication. Basically, I want connections from the internet to connect to mymail.mydomain.com, and if the URI is correct, the SSL certificate is passed forward to the backend Exchange server backend.mydomain.com. Here's what I have:
-
Client SSL profile, inherited from clientssl Certificate is mymail.mydomain.com Ciphers are 'DEFAULT:!ECDHE:!DHE:!DES' ProxySSL is enabled Everything else is default.
-
Server SSL certificate, inherited from Serverssl certificate, key, and chain are all from backend.mydomain.com Ciphers are 'DEFAULT:!ECDHE:!DHE:!DES' ProxySSL is enabled
I have two iRules: one which checks the URI, and if it's correct, sets the node to backend.mydomain.com. The second captures ciphers passed, and notes what cipher is chosen, from https://devcentral.f5.com/questions/irule-to-log-ssl-cipher-version.
I am assured that IIS on the Exchange server is configured with only the following ciphers:
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
When I try to connect, I get errors like:
Rule /Common/ciphercheck_mymail : Client: [client-ip] attempts SSL with ciphers: c02c,c02b,c024,c023,c00a,c009,cca9,c030,c02f,c028,c027,c014,c013,cca8,c008,c012,009d,009c,003d,003c,0035,002f,000a
Cipher c028:5 negotiated is not supported by Proxy SSL configured in virtual server /Common/mymail.mydomain.com.app/mymail.mydomain.com_combined_https.
Connection error: ssl_hs_pxy_scan:11515: unavailable suite (47)
SSL Handshake failed for TCP [client-ip]:port -> [mymail-external IP]:443
SSL Handshake failed for TCP [backend.myserver-ip]:443 -> [self-IP]:port
Cipher c028 (ECDHE-RSA-AES256-SHA384) isn't in my listed set of ciphers, either on the client ssl profile or on the server ssl profile. Is there something I'm missing?