Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

SSL Forward Proxy Question

Hello all

We have a requirement to allow some servers in a DMZ to talk to a service on the internet. I was looking into the SSL Forward Proxy feature on the LTMs as this appears to provide the service we need. F5s documentation on this is rather weak and rushed. I am following this guide:

https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-ssl-administration-11-6-0/13.html

Some (basic) questions I had on this:

  1. When I create a pool, presumably the pool members are the server IPs on the internet?
  2. The certificate I use on the Client SSL Profile (Certificate B in the link above) - does this certificate need to be signed by our internal CA, and if so, do we need to use a particular certificate template, e.g. Subordinate Certification Authority?
  3. In the Client SSL Profile, do we only (at minimum) need to configure the SSL Forward Proxy section?
  4. In the Server SSL Profile which certificate and key do we use? We need the LTM to perform MA with the server. Will this be a certificate generated on the LTM itself or do we need to import the cert + keys of the back end server and use those here?

Thank you.

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

This post has a really good write up on how to configure SSL forward proxy. F5 luminary Kevin Stewart provides a step by step. See SSL forward proxy what cert to use

Hope this helps

N

0
Comments on this Answer
Comment made 4 days ago by Devlin_T 269

Thanks Nathan. I did see this and actually managed to get things working. Turns out you do need to use the certificate template as mentioned above. Also, the pool member should be the next hop device e.g., a router.

0
Comment made 4 days ago by nathan 6395

Good news

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi,

Do you require a ssl forward proxy or do you want LTM to act as a forward proxy for https requests?

LTM can act as a forward https proxy without forward proxy feature (and without license).

SSL forward proxy feature is useful when you want to enable http security like URL filtering.

0