Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Limiting external access to APM to company devices

Hello All,

I have been tasked with restricting external access to our APM. Management is wanting only company owned devices to be able to access the webtop. These devices will be laptops and iphones. I have it working by authenticating off our public cert installed on my devices, but as this will be need to be installed on about 2000 devices, it's cost inhibited. We would like to go the route of a self signed cert. In testing with that, it worked on all but iphone, but this prevented me from also using the public cert to secure our portal site.

Has anyone else ran into the request? I've search extensively on the web and devcentral, but have not been able to find something similar. I'll attach a quick diagram i created in paint to demonstrate what we are currently using and what I'm hoping to accomplish.

This what I have currently have setup (in simplified format). We check ip subnet and then route accordingly. Internal ip's auth with NTLM then are presented with the webtop. External IPs hit a logon page. If the user attempting to logon is an employee, they go against AD auth. If they are a external customer, they go against our external domain AD auth and are presented a different webtop. I'm wanting to add the red bit. As stated, I have been testing with certs for that part, but if someone has tried a better solution, I'm open to that.

Image Text

0
Rate this Question
Comments on this Question
Comment made 12-Jul-2017 by Carlos Alperin 242

We used 2 Factor Authentication software that use smart phones as 2nd FA.

0

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

I was able to get this to work and just wanted to post my final settings so it could potentially help someone else. Thanks to Jie and Stanislas for the replies.

The final configuration ended up being creating two SSL profiles, one for public cert, one for private self signed. To work with iOS devices, the self signed cert MUST be signed from the Root CA, it cannot be an intermediate signed cert. These two profile MUST have identical settings, including Trusted Certificate Authorites, which I set to my Self Signed Root CA on both. I set both to "ignore" on my Client Certificate setting. Both SSL profiles were then assigned to the VIP that my APM was assigned to.

On the APM, where I have "Verify Company Device" above, I put added a General box to create a branch for iphones/ipads that was separate from all other devices. I used this: expr { [mcget {session.user.agent}] contains "iPhone" || [mcget {session.user.agent}] contains "iPad"} On-Demand Cert Auth was added for both branches after the general branches. On the iOS side, it was set to Require, on the other side, it was set to request. i'm not sure if this is really necessary, but it worked and I went with it and kept it. Behind that, it's just business as usual with the APM... assign webtop and resources.

Once the self signed cert was installed on devices accessing, things worked as expected. It definitely seemed to work better on Android vs iOS, but even with that, it's only 1 additional click on iOS to provide two factor auth.

Hopefully this info helps the next person. I was able to find bits of the solution across multiple posts and just wanted to aggregate a high level overview of what worked for me under this.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

I have implemented a similar setup before, for a VDI environment. The business case was that some software packages were licensed for use on company-issued devices only.

There was no way of telling if a device was owned by the company.

We went for a company self-signed private certificate installed on these devices. It all seemed to work in testing, but the iphone was not on the test list.

However, for a large enterprise, managing that certificate is no small task.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi,

You can use certificate signed by internal CA to authenticate users even if virtual server certificate is signed by a public CA.

0
Comments on this Answer
Comment made 29-Jun-2017 by mike.drennen 268

Thanks for the reply Stanislas. Do you have any links on how to achieve this or any specifics as to how it would be configured? I was reading your reply to another question from 2015 about applying two client profiles to one VIP. That led me to this article:

https://support.f5.com/csp/article/K13452

I was able to apply both profiles to the VIP and gave me a secure connection when hitting the portal, but it looks like when I use On Demand Cert Auth, it's requesting the Public cert.

Thanks again.

0