Explain. Seems like something I haven't come across yet.
Let's say your using adfs or something similar sts.
So you'll have your f5... A proxy server in the DMZ that doesn't have DNS and maybe a host file only allowing it to connect to specific endpoints. Then from there there's likely another firewall and f5 behind that routing traffic to your ADFS pool.
Without being too technical, allowing secure authentic from the internet for your users for let's say mobile devices.
When they connect to VIP and begin their TLS SSL handshake they'll need to Hit the CRL distribution point for your cert provider (allowing auth up the chain).
The distribution point it a URL e. G.
Https://verifycert.certblah.net/dheiem.crl or something similar.
If you don't white list all the applicable endpoints you'll receive a timeout when creating the SSL handshake. You can see that in wireshark as a long wait during the client hello and then a RST ACK being returned with the handshake ever occurring because that IP is not whitelisted.
From the application you'll likely just see a 503.
Point being it can cause a headache for your service teams by something that should probably be audited when renewing certs etc. But without it you could find yourself with a catastrophic failures for remote/mobile users.
I didn't proof read this and wrote it drunk on my phone. Feel free to correct, edit, make the example work better.
Celebrating this win! Ayyye