Below is the flow :
Client ----HTTPS (443)--->LTM ----> HTTPS (8443)
A customer requires LTM to do the SSL offloading to achieve this, however, I have configured client SSL profile (with certs/keys imported on it). The server listens on Port 8443 only.
Is it required to configure server SSL profile here? If yes, can I use the default serverssl profile.
Yes in this case you need a:
- client ssl
- server ssl
Yes you can use serverssl defaul porfile, I advise you to use "serverssl-insecure-compatible" for server ssl profile. And of course is required in your case.
Just keep in mind that serverssl-insecure-compatible profile types to allow negotiation of weak Secure Sockets Layer (SSL) ciphers for a BIG-IP virtual server. The cipher lists for the clientssl-insecure-compatible profile include some deprecated ciphers, such as DES-CBC-SHA and all MD5 cipher suites. It will allow you to negotiate with your backend even if it use depreciate cipher or use bade cert (not signed by trusted CA, ...)
If the backend server is listening to HTTPS at port 8443, you need a serverssl profile. I always start with the serverssl-insecure-compatible profile, just to confirm it is working. Then replace the profile with a more secure profile.
You must ask these questions :
does the client side connection requires ssl?
If yes, assign a client ssl profile
does the server side connection requires ssl?
If yes, assign a server ssl profile
Thank you all.
I will test the flow and get back with my observations.