Protecting SAP Web Dispatcher with F5 ASM

Question

I am working with a customer to insert an F5 ASM in front of their SAP Web Dispatcher.  The ASM is terminating SSL via a client SSL profile, and the re-encrypts traffic back to the SAP Web Dispatcher via a generic Server SSL profile.  The SAP Web Dispatcher in turn terminates the SSL connection established by the F5 ASM.  This is, however, not working.  I see the establishment of the TCP connection via TCP/443 for both health monitors and client connections.  The client connections get a Reset though right after the handshake completes.  In summary:  1) SYN, 2) SYN ACK, 3) ACK 4) Client sends SSL Continuation Data, 5) Web Dispatcher ACKs the packet, 6) Web Dispatcher sends a RST, ACK 7) Error in browser results.   
&nbsp;  
&nbsp; All the documentation regarding SAP and F5 certifications, setup, etc. all indicate that the F5 replaces the SAP Web Dispatcher, and nothing mentions integrating the F5 ASM into the an environment that includes the Web Dispatcher.  Has anyone set up an F5 ASM in front of an SAP Web Dispatcher? 
&nbsp;  
&nbsp; Thanks.

hooleylist · Answer

Hi PJ, 
&nbsp;  
&nbsp; Whenever there are issues in the initial implementation of a VIP with ASM, I'd suggest removing the HTTP class with ASM enabled from the VIP and making sure the load balancing is working first.  Once that is confirmed, you can add ASM and ensure you're only troubleshooting one issue at a time. 
&nbsp;  
&nbsp; Can you remove the HTTP class from the VIP and retest? 
&nbsp;  
&nbsp; Aaron &nbsp;

pj_72486 · Answer

Aaron, 
&nbsp; Thanks for your response.  I did try that, but it did not help.  As it turns out, the back end Web Dispatcher is now listening on a non-encrypted port and all is working now.  I still do wonder if terminating SSL on the front end and establishing SSL on the back end (to the Web Dispatcher) is supported.

sandip_bhor_813 · Answer

We also face same problem. We have deployed SSL certificate on F5 and two Web dispatcher are behind it. They are running on unsecured port. It works fine if we deploy SSL on Web dispatcher. Did any one have solution ? 
&nbsp;  
&nbsp; Thanks

nojan_moshiri_4 · Answer

Sandip, am I understanding your issue correctly? In the earlier post in this thread, the issue was that SSL re-encrypt was not working.  If I understand your issue, you would like to only encrypt on the F5.   
&nbsp;  
&nbsp; Are you are also using ASM or are you using LTM?  Do you have a server ssl profile and client ssl profile ? Also, are you using the HTTP profile?  
&nbsp;  
&nbsp; Can you run a tcpdump on the web dispatcher and see what the connection looks like?

Forum Discussion

Protecting SAP Web Dispatcher with F5 ASM

4 Replies

Recent Discussions

Maximum throughput of f5 ltm

iRule cookie persistence and pool redirect

redirect not working

Access azure app service using f5 LTM

Reliable resources for identifying IP addresses

Related Content

Beyond REST: Protecting GraphQL

L7 DoS Protection with NGINX App Protect DoS

Managing NGINX App Protect WAF for Beginners

F5 Distributed Cloud Bot Defense Protecting AWS CloudFront Distributions

Cookie-based DDoS protection