Forum Discussion
10 Replies
- cjuniorNacreous
If I understand it right, just skip the SSL offload step.
- Colin_Rogers_17Historic F5 Account
Actually, in this scenario you will want to let the BigIP do SSL offloading. The virtual server will listen on 443, client connects, we then make a load balancing decision after the handshake. From there we will then start a new SSL connection to the selected back end pool member on 8443. Two completely separate TCP conversations but it will be the most effective and straight forward.
- JPV_131616Cirrus
Ensure you have a client and server ssl profile enabled on the VIP.
This is the most efficient way to do ssl all the way to the server from what I understand.
- Lazar_92526Nimbostratus
You will need to setup SSL passthrough/tunneling. Setup a VIP with 443 as the default port. Do not select any SSL Profile (Client) or SSL Profile (Server) for the virtual server. Send the traffic to a pool of member servers with 8443 as the service port.
- spud_141786Nimbostratus
"Most effective" can be many different things, depending on the objectives you need to achieve. That being said, since you specify "without the SSL termination happening on the BIGIP", you just need to configure a virtual server to listen on TCP port 443, and then configure the pool members with a service port of 8443. In the virtual server configuration there is no need to specify any SSL Profile, the F5 will simply load balance incoming connections on TCP port 443 to the pool members on service port 8443. This is often called SSL Tunneling becasue the SSL session is "tunneled" through the F5 device. Depending on requirements this may work just fine, but there are a few caveats:
- the F5 will not be able to see traffic inside the SSL session
- the F5 may not be able to effectively provide session persistence
If either of these caveats are cause for concern, then you may want to do SSL offload, meaning the F5 terminates the SSL session coming from the client and then optionally initiates a new SSL session towards the pool members.
- Lazar_92526NimbostratusAlso - remember that if you have ASM in play, that tunneling/passthrough will not allow ASM to inspect and apply any security rule sets that may be set. So as bdy stated, most effective needs to take you overall security controls and requirements as well.
- Colin_Rogers_17Historic F5 Account
My apologies. For some reason I didnt see the part about the BigIP NOT offloading.
- Ron_Tazuma_7898Nimbostratus
Thanks everyone! I think I will see if the need to do SSL Offloading if the passthrough/tunnel load-balancing has too many session persistence or recovery issues. The main purpose is to use it for file transfers so the large file sizes may take a long time to process leaving the SSL session subject to disconnect-reconnect issues, i.e. recovery problems.
- GajjiCirrostratus
doesn't work me whatever said here by all
- Ahmed_GalalCirrostratus
i didnt get it what is the problem here destination port not part of SSL traffic so F5 will make SSL passthrough but you will face an issue if the backend server have return redirection URL with its own port then you will have to configure SSL offloading or inspection to configure iRule to change return traffic..