HTTPS Traffic Issue
Hi Everybody,
I require your attention. Please help me.
There is a request for the F5 LTM from the users.
++++++++++++++++++++++++++++++++++++++++++++++++++
1) DNS name and VIP for end user access to clustered test servers.
2) Load balancing using F5 to two test Servers (SRV1731.domain.net - 141.172.24.201 and SRV1732.domain.net - 141.172.24.202). This should be configured for sticky session.
3) SSL termination either on F5 or on test servers.
Backend URL addresses are :
+++++++++++++++++++++++++++++++++++++++++++++++++++
For the Point 1, I took a URL "sailpointtest.domain.com" and mapped it in DNS server with IP 141.172.69.12.( which is reserved for VIP)
For SSL termination on BIG-IP LTM, I first created a CSR ( Certificate Signing Request ) and gave that CSR to our security team who then provided me the Certificate signed by a CA.
I imported that certificate (Sailpoint1) in the key that was generated automatically while creating CSR.
I made the following config on BIG-IP LTM :
==================================================================
VS Name - Sailpointtest
VIP - 141.172.69.12
Service Port : 443
HTTP Prifle - http
SSL profile ( Client ) - sailpointtest_client_ssl
SSL profile ( server ) - None
Default Pool - sailpointtest_pool
Default persistence profile - dest_addr ( sticky )
=============================================
Pool : sailpointtest_pool
Health Monitor : http
Load Balancing Method : Round Robin
Pool members : 141.172.24.201:8080 , 141.172.24.202:8080
=============================================
SSL profile ( Client ) : sailpointtest_client_ssl
SSL Certificates : Sailpoint1
===================================================================
The health monitor marks the pool member up and so is the Virtual Server.
While I am entering the URL https://sailpointtest.group.upm.com in the browser, it is circling indefinitely without giving any page or error.
Please help me if I am doing anything wrong.
1) Please let me know if I need any iRule here. I don't think I need any. Please suggest
2) Am I required to use Client SSL Profile in order to decrypt the HTTPS traffic on F5 ? What would happen if we don't have iRule applied on the VS and we are not using Client SSL Profile ? - Is it that traffic will be forwarded by F5 as such (https) to the Actual server after the load balancing decision has been made by LTM and the actual server need to have Certificate/Key to decrypt it ?
3) Are we required to give the clients any Certificate/Key for this to work ? I guess not.
4) One interesting thing that I observed is that connections are being made through the pool member when I hit the URL in the browser, IRRESPECTIVE OF WHETHER THE CLIENT SSL PROFILE IS APPLIED OR NOT.
Please help me solve the issue and answer my query.
Thanks in advance. Vijay Rai