Using Certificate Enrollment Policy on WS2016 with F5 Secure Tunnel Fails Access Denied

[Guest begegeek]

Hi all; I very much need assitance with configuring CEP with an F5 Secure Tunnel. The problem is the tunnel can use any one of 5 IP addresses. I have the bindings set with an SSL certificate that lists the VIP hostname as well as the actual hostname. In IIS under CEP application settings, I have configured the URI with the VIP hostname as well.

 

This solution works fine when directly connecting, but through the secure F5 tunnel it fails consistently with "Access was denied by the remote endpoint. 0x803d0005"

 

 

Our F5 team suggested using XFF (X-Forward-For) when they tried enabling it on their side. The only place I can find to do this is for IIS logging. The only affect it had on the error was timed out. There is nothing else that I can find to make CEP treat the XFF in the header as the actual client.

 

 

When I test by spoofing the VIP hostname to the actual IP of the CEP server, validation and enrollment works. Running the traffic through F5 secure tunnel, and it fails.

 

If anyone has any documentation to help, it would be most helpful.

 

Continue reading...