Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

SSL Intercept

Hi All, fairly new to using an iApp - so here is my question.

We need to be using the SSL_intercept_SVC_chain iApp to mitigate the scenario where TLS 1.0 is no longer supported in the big wide world. Basically we have a number of old apps that will only use TLS 1.0 and since this is now being deprecated we plan to use the F5 to handle the client to F5 as TLS 1.0, but then forwards onto external sites as TLS1.2 or 1.3.

I have downloaded the iApp, and have worked out all the settings I need to use to make the Application Service - however what I don't get is how to join together the AS and a virtual server.

We plan to use an internal DNS entry for selected external sites so that the traffic is forced to the F5 and passed to the internet, and away from our proxies thereby using the F5 to do the TLS re-negotiation/upgrade.

We have a two LTMs running in HA so its not a case of passing it from one F5 to another F5 via a decrypt zone.

Once I have run the iApp - what do I need to do to use it.

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Firstly, the iApp scenario is not the same as you have. Have a look at this link:

https://support.f5.com/csp/article/K75104042

In relation to virtual server, there is a section in the iApp with multiple questions about the virtual server. However, it does not ask you the virtual server IP, as it uses 0.0.0.0/0. The iApp will then create 2 virtual servers with 0.0.0.0/0, one for TCP and one for UDP traffic.

0
Comments on this Answer
Comment made 12-Jan-2018 by Paul.Williams 13

Perhaps I should have added that the LTMs are on version 12.1.2 - hence I cannot user the f5.ssl_intercept.v1.0.1 version.

0
Comment made 16-Jan-2018 by Leonardo Souza 3174

Ok, so what is your plan? I can give you some ideas about how to get that manually, without iApp, but is not that easy.

0
Comment made 01-Feb-2018 by Paul.Williams 13

Ok - we tried with the iAPP and as indicated above, it doesn't do what we thought it did. The issue is that the virtual server it creates has an IP address of 0.0.0.0 which means the clients would need to be in the same subnet as the F5.

Here is what we want to do.....

Our anticipation was that we could point any internal traffic requiring SSL/TLS uplift to a generic virtual server listener on the F5 (using internal DNS with the same name as the public FQDN for each external name, all pointing to the one generic listener) and that the F5 could proxy the traffic on to the public FQDN, achieving TLS uplift at the same time. In other words, without a listener per FQDN that we want to uplift the SSL/TCL for – all to the same listener, and then passed through to the public FQDN from the back-end of the F5 – and without the need to distribute internal certificates and load third party certificates.

However, we are having difficulty seeing how we can achieve this other than putting the F5 in-line (not practical) or reverting to the approach of one virtual server per external FQDN – but then having to issue internal certificates and load the third party certificate into the F5, per FQDN. This is what we were wanting to avoid due to the overhead of maintaining it

0
Comment made 01-Feb-2018 by Leonardo Souza 3174

Just an important correction, a virtual 0.0.0.0/0 as destination, means it will handle traffic to any destination (normally used for traffic destinated to the Internet).

I think what you need is a forward proxy. You could have that as transparent or explicitly proxy. Have a look in the SWG module:

https://f5.com/products/big-ip/secure-web-gateway-services-swgs

There is also proxy ssl and forward proxy, but does not look like is for your case.

https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-ssl-administration-12-0-0/14.html

https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-ssl-administration-12-0-0/15.html

0
Comment made 02-Feb-2018 by Paul.Williams 13

The problem with a forward proxy is that it just passes the clients request through the F5 (at least that's my understanding) and since we want to use DNS to control which servers use the solution, the F5 will not forward the traffic to the far end website.....I might be wrong and not understand the concept correctly.

0
Comment made 02-Feb-2018 by Paul.Williams 13

Also - is the SWG module an add in - as in would we need a licence key for it...?

0
Comment made 05-Feb-2018 by Leonardo Souza 3174

You can setup F5 with an external DNS server, or find a way to setup static DNS names in F5 (not a good idea, if not a single public IP). With forward proxy SSL, F5 terminates and starts a new SSL connection, so looks like what you need.

I don't think is a clean solution, this why I think SWG maybe the more straightforward, if works.

SWG is a separated module. Not sure if you can get a license to SWG separated, or you need APM. You can talk F5 sales, and ask for a trial license. https://f5.com/products/how-to-buy

0