Forum Discussion

Steve_W_85246's avatar
Steve_W_85246
Icon for Nimbostratus rankNimbostratus
Apr 17, 2014

SSL termination / no SSL termination

So, reading another post here.. In order to terminate SSL, my 443 VIP needs to have an HTTP profile, and a client certificate. Ok.. I understand all that.. I do that currently.

 

I have a need now for a 443 VIP to not terminate SSL, so my VIP does not have the HTTP profile, and does not have a client certificate attached. I get to my requested pool fine. But here is the problem.. I need to do some HTTP redirection, other HTTP functions as well.. so I need the HTTP profile to be added. When I add the HTTP profile to this VIP, my connection just spins/hangs.. Is it possible to have a non SSL terminating VIP with an HTTP profile and make it work? Or is the kicker adding the HTTP profile - and my SSL is being terminated then?

 

application delivery
availability
design
LTM
microsoft

8 Replies

Sort By
  • Cory_50405's avatar
    Cory_50405
    Icon for Noctilucent rankNoctilucent
    Apr 17, 2014

    In order to have HTTP controls, the BIG-IP needs to be able to see the HTTP traffic. Not possible without stripping off the SSL. The client SSL profile is what terminates the SSL. Assigning the HTTP profile is telling the BIG-IP to treat the traffic as HTTP.

     

  • Steve_W_85246's avatar
    Steve_W_85246
    Icon for Nimbostratus rankNimbostratus
    Apr 17, 2014

    Ok.. that makes sense... My 443 VIP is sending traffic to set of Microsoft WAP servers which at this stage can only accept 443 traffic. So adding an HTTP profile will then treat the traffic as HTTP which is what WAP cant take, therefore breaking the process. Well that answers my question.. not what I was hoping for, but it does answer it... Thanks for your quick response.. I appreciate it.

     

    • Cory_50405's avatar
      Cory_50405
      Icon for Noctilucent rankNoctilucent
      Apr 17, 2014
      Is the requirement that your WAP servers terminate the SSL? If so, you can configure and apply both a client and server SSL profile and attach to your virtual server, as well as an HTTP profile and you'll be able to have redirect controls.
  • mikeshimkus_111's avatar
    mikeshimkus_111
    Historic F5 Account
    Apr 17, 2014

    Hi Steve, you'll need to use what we call SSL bridging. Apply the clientssl, serverssl, and http profiles to your VIP and BIG-IP will make an encrypted connection to your pool members. You can then do whatever layer 7 stuff you need to with iRules, etc.

     

    Mike

     

  • Steve_W_85246's avatar
    Steve_W_85246
    Icon for Nimbostratus rankNimbostratus
    Apr 17, 2014

    I tried that this morning during some of my troubleshooting.. I added a wildcard certificate as the client cert, and the default serverssl, and the http profile. It didnt spin as saw with just the http profile, but it still failed to reach the WAP servers.

     

  • Cory_50405's avatar
    Cory_50405
    Icon for Noctilucent rankNoctilucent
    Apr 17, 2014

    Are the WAP servers doing any kind of authentication for the connecting client? If not, then it may be best to grab a packet capture between the BIG-IP and servers to see what may be happening.

     

  • Steve_W_85246's avatar
    Steve_W_85246
    Icon for Nimbostratus rankNimbostratus
    Apr 17, 2014

    No the WAPs are acting as another proxy, authentication is done in a following step via ADFS. Ok.. so the consensus is that it should be possible to do this? Its not impossible?

     

    • Cory_50405's avatar
      Cory_50405
      Icon for Noctilucent rankNoctilucent
      Apr 17, 2014
      It should definitely be doable, you'll just need to figure out exactly what is happening when you apply both the client and server SSL and HTTP profiles. That setup should work.