Hi Guys, Let's start with the setup: 1 Domain Controller (also acting as CA) 2 IIS servers 1 BigIP 1 Windows PC I want to use SSL to authenticate the user using the windows PC. I set up an IIS Site = > using an a domain certificate. I Create a certificate for the user. I test the setup connecting the user pc directly to the IIS servers. The user loads the website. He is presented with a certificate choice popup. He chooses the certificate and logs on the site successfully. Now comes in the BigIP :-) I set up an https VS. with a client and server SSL Profile. BigIP version 10.x The User loads the site and gets 403 - Forbidden: Access is denied. I understand I'm getting this because the website is configured to require the user certificate but it is not getting the user certificate. The VS is a standard SSL HTTPS VS using a client and a server SSL profile. So the BigIP is doing a decryption/encryption operation and presenting the server ssl profile to the IIS server just to encrypt the traffic and not to authenticate the user. I can make it work only if I use the VS type Performance (HTTP) which is a passthough type so the client PC is talking directly to the IIS server and presenting the user certificate to the IIS server. I Also understand that there are authentication modules which can make this work. So My questions: 1. Am I missing anything 2. Am I right in thinking the only way to make this work without any authentication module is to create a performance(HTTP) VS? Thanks for your time.

This use case (sending end-user client certificates to a backend server while still using BIG-IP client/server SSL profiles) can be implemented in 11.x by using the "Proxy SSL" feature. See documentation here: https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-implementations-11-1-0/15.html Also be aware of a bug in earlier 11.x versions. It's corrected in later releases: https://support.f5.com/kb/en-us/solutions/public/14000/500/sol14571.html

That's good info there thanks. I was testing on version 10 VE. My client does have version 11 in production so this will fix it. But I guess I will have to use two different VSs for our needs since we are only using 1 VS for 4 https sites. and one of these sites will be configured to authenticate users based on SSL certificate. By this I mean if we check the ssl proxy checkbox on the ssl profiles this will break the other 3 sites. what do you think?

Different virtuals gives you more cipher options, statistics, and flexibility of general configuration. For sites that don't need client certificates, don't use proxy-ssl.

Thanks. Is your last sentence a recommendation/best practice or a constraint? Just to be sure about the arguments the client is waiting for. I will test this though.

I downloaded the Virtual Edition 11.3 available on the F5 site. Unfortunately it has the bug you mentioned and no hotfix available. According to the link you posted the fix is only available in version 1.4. My client is using 11.2. So I guess we're toast. We will only be able to use the performance type vs.

BigIP User SSL Authentication

12 Replies

Lucas_Thompson_
Historic F5 Account
Oct 30, 2014
This use case (sending end-user client certificates to a backend server while still using BIG-IP client/server SSL profiles) can be implemented in 11.x by using the "Proxy SSL" feature.

See documentation here:

https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-implementations-11-1-0/15.html

Also be aware of a bug in earlier 11.x versions. It's corrected in later releases:

https://support.f5.com/kb/en-us/solutions/public/14000/500/sol14571.html
JoeTheFifth
Altostratus
Oct 31, 2014
That's good info there thanks. I was testing on version 10 VE. My client does have version 11 in production so this will fix it. But I guess I will have to use two different VSs for our needs since we are only using 1 VS for 4 https sites. and one of these sites will be configured to authenticate users based on SSL certificate. By this I mean if we check the ssl proxy checkbox on the ssl profiles this will break the other 3 sites. what do you think?
- Lucas_Thompson_
  Historic F5 Account
  Oct 31, 2014
  Different virtuals gives you more cipher options, statistics, and flexibility of general configuration. For sites that don't need client certificates, don't use proxy-ssl.
- JoeTheFifth
  Altostratus
  Oct 31, 2014
  Thanks. Is your last sentence a recommendation/best practice or a constraint? Just to be sure about the arguments the client is waiting for. I will test this though.
JoeTheFifth
Altostratus
Nov 02, 2014
I downloaded the Virtual Edition 11.3 available on the F5 site. Unfortunately it has the bug you mentioned and no hotfix available. According to the link you posted the fix is only available in version 1.4. My client is using 11.2. So I guess we're toast. We will only be able to use the performance type vs.
nitass
Employee
Nov 03, 2014
I downloaded the Virtual Edition 11.3 available on the F5 site. Unfortunately it has the bug you mentioned and no hotfix available.

can't you not use tls 1.1 and 1.2?

anyway, i understand there is engineering hotfix for 11.3.0. you may open a support case to check.
JoeTheFifth
Altostratus
Nov 03, 2014
how to do that on the LTM. force not using tls 1.1 and 1.2??? I'm not an LTM expert :-) This might lead to a compatibility issue on client browsers I guess !
nitass
Employee
Nov 03, 2014
how to do that on the LTM. force not using tls 1.1 and 1.2???

you can use cipher string.

e.g.

How to force client ssl profile to use tls 1.0 only?

https://devcentral.f5.com/questions/how-to-force-client-ssl-profile-to-use-tls-10-only

This might lead to a compatibility issue on client browsers I guess !

yes, it is possible.
JoeTheFifth
Altostratus
Nov 03, 2014
thanks. I will check that. One thing is bothering me though. I checked the VS config of my client (version 11.2). The 'Proxy SSL' option is not checked and now the Client Authentication using SSL is working !!! It was not working last Friday :-( is it possible this works without checking the Proxy SSL option mentionned in the first reply to my post.
nitass
Employee
Nov 03, 2014
is it possible this works without checking the Proxy SSL option mentionned in the first reply to my post.

clientssl and serverssl can do client and server authentication. proxy ssl comes when you want client to be authenticated by server directly.

SSL Profiles Part 8: Client Authentication by John Wagnon

https://devcentral.f5.com/articles/ssl-profiles-part-8-client-authentication

SSL Profiles Part 9: Server Authentication by John Wagnon

https://devcentral.f5.com/articles/ssl-profiles-part-9-server-authentication

sol13385: Overview of the Proxy SSL feature

https://support.f5.com/kb/en-us/solutions/public/13000/300/sol13385.html

hope this helps.
JoeTheFifth
Altostratus
Nov 03, 2014
mmm how do you explain the fact that the proxy ssl option is not checked and the user ssl authentication is working? if I understand the implementation of this option you have to check it on both profiles if you want the server to authenticate the user using an ssl certificate...
- JoeTheFifth
  Altostratus
  Nov 05, 2014
  Any volunteers? does direct client ssl authentication work without the proxy ssl option checked? I'm seeing mixed results on version 11.2.1 build 1225.0 Hotfix HF10, physical appliance.

Forum Discussion

BigIP User SSL Authentication

12 Replies

Recent Discussions

ASM instance creation

[ASM] - what is "Browser Challange file" ?

[ASM] - HTML5 Cross-Domain Request Enforcement - CLI command

Reverse Proxy Not Behaving

Stable Firmware for F5

Related Content

Re: BigIP Report

F5 BIG-IP Access Policy Manager (APM) - Google Authenticator and Microsoft Authenticator

RADIUS server authenticating user with Google Authenticator

Doing mTLS Authentication per URL

DEVCENTRAL END-USER LICENSE AGREEMENT