F5 BIG-IP SSL and non-SSL



We are looking to implement a solution whereby users must use SSL to access a particular web app if they have the correct client cert. For users who don't have the cert yet we want the solution to automatically revert to use HTTP for this app and continue. We want it to be seamless to the user.

We plan on using the BIG-IP for the SSL termination at the perimeter.

Can the big-ip detect that the users machine doesn't have the cert and redirect to http? Or am I way off course here? Are there other ways to do this?
58872Asked:
Who is Participating?
 
Steve JenningsIT ManagerCommented:
Yes, you can redirect based on an SSL negotiation error. The problem is that will defeat the purpose of requiring a specific client cert unless you also filter on the source IP address. That is, 'sneaky pete' wants access to your app but doesnt have the appropriate cert. You end up effectively giving it to him.

What am I missing?

Steve
0
 
Dave BaldwinFixer of ProblemsCommented:
You'll probably have to ask BIG-IP.  The general problem you are facing is that when you request an SSL connection, it gets negotiated First before anything else.  If it fails, you don't get anything but an error.  That would be normal.  Maybe BIG-IP can do something else.
0
 
58872Author Commented:
Thanks
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.