Nimbostratus
NimbostratusHello S Blakely,
Thanks for your quick and detailed response. Here are our details:
Virtual Server configured with a VIP address
HTTP Profile - http-explicit, **http-explicit-proxy-vip**, external-resolver,
**Customer specific profile inheriting http-explicit parent profile settings
Referring to the previous questions and your answers:
Again really appreciate the help with this. Thanks.
EmployeeOK - so the virtual is acting as an explicit proxy.
Client side traffic is port 8080 and unencrypted.
The http profile (explicit proxy) sees an incoming CONNECT request to tools.cisco.com:443
At this point the BigIP uses the configured DNS resolver to resolve tools.cisco.com, and opens a TCP connection to port 443 - this is automatic, and uses the host:port combination in the URI of the CONNECT request.
The http profile responds to the client with a HTTP/1.0 200 OK to establish the proxy tunnel, and the client then sends a TLS ClientHello. This uses the existing port 8080 connection from the client to the BigIP virtual, and the BigIP translates this to the port 443 connection on the server-side.
From this point on, the BigIP is just a relay, passing the TLS packets from client to destination server, in the same way any HTTP proxy does - no snooping, no interfering - just port and address translation.
If you want to look inside those packets, you need F5 SSLO, and that's a whole other story.