Setup F5 as a proxy for EDR Server/Cluster for communications outside a private network

• EDR Server: All Versions

The the F5 Configuration for Carbon Black Guide can be downloaded and followed from this article with some potential changes

• On page 4 for the iRule the following could be used instead to add some code to reject communication with no client certificate and add additional logging if needed

  when CLIENTSSL_HANDSHAKE {
     if { [SSL::cert count] == 0 } {
         log local0.info "Connection denied. Error: Client SSL handshake from [IP::client_addr] contains no client certificate."
         reject
     }
     elseif { ![SSL::verify_result] == 0 } {
         log local0.info "Connection denied. Error: Client SSL handshake from [IP::client_addr] failed certificate validation - [X509::verify_cert_error_string [SSL::verify_result]]."
         reject
     }
     else {
         session add ssl [SSL::sessionid] [SSL::cert 0]
         log local0.info "Connection established. Info: Client SSL handshake accepted from [IP::client_addr]."
     }
  }
  when HTTP_REQUEST {
     if { [session lookup ssl [SSL::sessionid]] ne "" } {
         HTTP::header remove X-Client-Cert-Id
         HTTP::header remove X-Real-IP
         HTTP::header insert X-Client-Cert-Id [X509::serial_number [session lookup ssl [SSL::sessionid]]]
         HTTP::header insert X-Real-IP [IP::client_addr]
         #log local0.info "HTTP request from [IP::client_addr]"
         #log local0.info "X-Client-Cert-Id: [X509::serial_number [session lookup ssl [SSL::sessionid]]]"
         #log local0.info "X-Real-IP: [IP::client_addr]"
         #log local0.info "X-Forwarded-For: [HTTP::header X-Forwarded-For]"
     }
  }

• For Multiple Certificate Support with F5 for the server cert change the following steps can be used

  3.	Setup dual server profile in F5 (experimental / undocumented) to use both the temporary and primary server certs.
   
  3.1.	Import the new server certificate and key into F5.
  
  3.2.	Check the box “Default SSL Profile for SNI” on the existing “CarbonBlack_Client_SSL” profile in F5.
  
  3.3.	Create a new Client SSL Profile in F5 named like “CarbonBlackClientProfile”
  
  a.	Set the existing Client SSL Profile as the parent profile.
  
  b.	Updated the Certificate Key Chain to use the new certificate and key.
  
  c.	Set “edr.primary” for the “Server Name” value.
  
  3.4.	Attached both the old and the new Client SSL Profiles to the existing “CarbonBlack*” Carbon Black Virtual Server configuration.

• In step 6 of the F5 configuration when following the steps to the Bundle location, the etc/cb/certs/cb-client-ca-bundle.crt can be used instead of the /etc/cb/certs/cb-client-ca.crt file, if going through the steps of Regenerating a New Set of Certificates.