Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

SSL offloading query

Hello Team,

Below is the flow :

Client ----HTTPS (443)--->LTM ----> HTTPS (8443)

A customer requires LTM to do the SSL offloading to achieve this, however, I have configured client SSL profile (with certs/keys imported on it). The server listens on Port 8443 only.

Is it required to configure server SSL profile here? If yes, can I use the default serverssl profile.

Please advise.

Regards,

Dayesh

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi,

Yes in this case you need a: - client ssl - server ssl

Yes you can use serverssl defaul porfile, I advise you to use "serverssl-insecure-compatible" for server ssl profile. And of course is required in your case.

Just keep in mind that serverssl-insecure-compatible profile types to allow negotiation of weak Secure Sockets Layer (SSL) ciphers for a BIG-IP virtual server. The cipher lists for the clientssl-insecure-compatible profile include some deprecated ciphers, such as DES-CBC-SHA and all MD5 cipher suites. It will allow you to negotiate with your backend even if it use depreciate cipher or use bade cert (not signed by trusted CA, ...)

regards.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

If the backend server is listening to HTTPS at port 8443, you need a serverssl profile. I always start with the serverssl-insecure-compatible profile, just to confirm it is working. Then replace the profile with a more secure profile.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

You must ask these questions :

does the client side connection requires ssl?

If yes, assign a client ssl profile

does the server side connection requires ssl?

If yes, assign a server ssl profile

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Thank you all.

I will test the flow and get back with my observations.

Regards,

Dayesh

0