Hi Richard, I've just developed a LDAP-StartTLS Proxy iRule. Initially I've started to recycle some parts of your iRule, but then decided to write a new BER parsing logic to make it a little less complicated (e.g. Bit-Mask compare for long form length detection) and to become more BER compliant (e.g. allow long form integer length values). Anyhow, your iRule was still a good starting point for me. You'll find the LDAP-StartTLS Proxy iRule here...https://devcentral.f5.com/s/articles/ldap-starttls-extension-to-ldaps-proxy Cheers, Kai