Ssl offloading

Question

Can any one explain the ssl offloading elements of f5.
So there is client side ssl profile and server side ssl profile.
So the ssl client request will be terminated on f5 if client ssl profile is used .f5 decrypts session on behalf of webserver.
I understood that but then what ssl server profile..???
Its told that it re encrypts session ..so itsnt doing any ssl offloading as such right?it is an extra layer of security???&nbsp;
Also if we are using the ssl profiles ..we creatr virtual server on port 443 .what port should the web service be running ??http ??&nbsp;
If ssl server profile is used, can we use the pool members to be on port 443??&nbsp;

kevin_stewart · Answer

If you consider that client SSL allows the F5 to be the server side of the SSL session, from the client to the F5, the a server SSL profile allows the F5 to be the client side element of the SSL session between the F5 and the backend server. To apply a server SSL profile means that traffic will be encrypted between the F5 and the server. Your servers would then need to expect SSL and very likely need to be listening on port 443.

hannes_rapp · Answer

Your conclusions about the Clientside SSL profile are correct. I'm only adding that when you map a serverside SSL profile to your Virtual Server, F5 (re)encrypts the traffic flow, before sending the request to end-server. It's an extra layer of security indeed. In some business sectors and jurisdictions, regulatory requirements oblige customers to encrypt the entire traffic flow from end-server to end-customer. In such cases, you have no choice. In all other cases it's up to you. What do you value more - performance and ease of management, or additional security?
Your questions:
Also if we are using the ssl profiles ..we creatr virtual server on port 443 .what port should the web service be running ??http ??
If ssl server profile is used, can we use the pool members to be on port 443??
If do not want to encrypt the traffic flow between BigIP and end-server, but do want to do so for the traffic between BigIP and end-customer, you can use port TCP 443 for your Virtual Server listener and port TCP 80 (or 8080, or any other standard non-SSL HTTP port) for your Pool Members.If you want SSL between BigIP and end-server as well as between BigIP and end-customer, you should use TCP 443 for Virtual Server listener and port 443 (or 8443, or any other standard SSL-enabled HTTP port) for your Pool Members.

mahantesh_bisur · Answer

Hi Hannes,&nbsp;
If we want SSL between BIGIP and end-server as well as between BigIP and end-customer then we need to use both client-SSL profile and server-SSL profile rite..?&nbsp;

hannes_rapp · Answer

Right. You can use the default serverside SSL profile. However,  the clientside SSL profile should be custom in which specify Signed Cert, Private Key and CA (of the intermediary who signed your cert).

draco · Answer

Thanks a lot for replying so fast Kevin and Hannes...
One more query 
So I have a scenario where the server is hosted on iis on port 443 .So according to what you all said, I ll be ssl offloading with client ssl profile and since the server is on 443 , I ll include the server ssl profile too right ?

Thank you once again.

Forum Discussion

Ssl offloading

8 Replies

Recent Discussions

how can I find the software version is 32 bit or 64 bit from LTM 15.1.10.4

(How) can I get two client certificates in one APM session?

Open Redirection Mitigation

BIG-IP DNS iRule issue with static variable

Using okta as SSO to login F5 GUI

Related Content

SSL Offload with HTTP/2.0

SSL Offloading for specific IPs or range of IPs

F5 SSL Offload behind Nginx Reverse Proxy

F5 Synthesis: Hybrid SSL Offload

HTTPS offload rewriting