Anyway to front a fat / thick client with client side SSL certificate check using a ltm/irule

I think the biggest problem you'll have is session state. The browser and non-browser clients represent two separate sessions (layer 4, SSL, and maybe even layer 7) so if you presented a certificate with one, that data wouldn't be accessible to the other. Your absolute best option, in my opinion, is to figure out how to get the fat client to send a client certificate. This isn't usually an unreasonable solution, depending on the platform.

 

 

That said, if the fat client can access and send (file-based) HTTP cookies, you could potentially set that cookie with the browser connection (after client certificate authentication) so that when the fat client makes its request and sends the cookie (also requiring a method for sharing the cookie store), then the F5 could grant access and maybe even have access to the certificate information. In any case you need a way for the browser and non-browser to share some piece of information, if only for a moment (cookie, URI, etc.).

 

Thanks for the response - unfortunately this has all come around from sales people agreeing to something we didn't have and the tech side finding out with 2 weeks to go. Our app dev gues are stating that they can't update the application in time, so have now been asked if I can do an IP filter on the f5 instead that pulls the list of allowed IP's from a web page hosted internally - I will post in the irules section if pulling a data group from off the f5 is feasible

 

 

thanks again

just curious if we can put web service behind ssl vpn (e.g. apm) and do two factor authentication on ssl vpn.