Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

SSL decryption for IPS on REVERSE proxy

Hi,

We have been trying to get our IPS solution installed so that the Big-IP decrypts, sends to IPS, then re-encrypts before sending the packet on to it's destination.

It is on a Big-IP Reverse Proxy. All of the deployment guides only address Proxy SSL (FORWARD proxying). I understand that the difference between Reverse and Forward are significant enough that the deployment guides for Forward will not work.

The problem is that the site becomes very slow once we enable the decryption/redirection. We also see some SSL traffic on the private VLANs between the IPS and the Big-IP. This should never happen if the iRule is working properly.

The flow is from the Internet is:

Internet > Firewall > F5 #1 > load balanced IPS > F5 #1 > destination

Here is the iRule we are using:

when CLIENT_ACCEPTED {
  ## perform operation on percentage of traffic
  set percent [class lookup percent vip_presets]
  if { rand() < $percent } {
        SSL::disable serverside
        log local0. "SSL disabled serverside and random selected"
    ##  get the name of the default pool and store in a variable
    set app_pool [LB::server pool]
    log local0. "app_pool set to $app_pool"
    ##  check for active members of the security device pool
    if { [active_members IPS_Pool] > 0 } {
        ## get load balanced L3 service
        pool IPS_Pool
        set L3 [lindex [split [LB::select]] 3]
        log local0. "HTTPS IPS sensor selected is $L3"
        ##  use snat none if snat is enabled in VS config but
        ##  needs to be disabled for routing through security devices
        snat none
    } else {
         ## inline service failed - go direct to app pool
         log local0. "L3 IPS service down"
         SSL::enable serverside
         log local0. "ssl enabled serverside"
         ## snat as required
         ## snat automap
      }  
    ## re-select the app pool
    pool $app_pool
    log local0. "HTTPS pool is $app_pool"
  } else {
    log local0. "HTTPS not redirected"
  }
}
when LB_SELECTED {
     if { [info exists L3] } {
         ## nexthop through L3 service
         LB::reselect nexthop ${L3}
         log local0. "routing through IPS - HTTPS LB reselected $L3"
    }
}

Any ideas, suggestions, or things to try are greatly appreciated!

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi,

I can recommend using this deployment guide, by Jason Rahm:

https://devcentral.f5.com/articles/divert-unencrypted-traffic-through-an-ips-with-local-traffic-manager

I have tested and verified it works in a LAB.

Best regards, Morten

1