Forum Discussion

Fabou_139732's avatar
Fabou_139732
Icon for Nimbostratus rankNimbostratus
Apr 15, 2016

How build a proxy like setup using BIG-IP

Hi all,

 

I am looking for the best (simplest) way to implement the following:

 

Client - - - > F5 VIP - - - > Single server on Internet HTTP HTTPS

 

This look really close to a proxy setup except that the SSL session (HTTPS) only exist between F5 and server.

 

My first idea was to build a standard VIP with the default server-ssl profile and just put a single node in the pool (the internet node).

 

The follwing links give solution on the proxy way but I don't feel this is really what I need

 

https://devcentral.f5.com/questions/ltm-apm-as-a-web-proxy

 

https://devcentral.f5.com/wiki/irules.HTTP-Forward-Proxy-v3-2.ashx

 

https://devcentral.f5.com/wiki/iApp.Generic-Forward-Proxy-with-Websense-Filtering-iApp.ashx

 

Can you give any advices on best way to acheive what I want?

 

Fabou

 

application delivery
BIG-IP
LTM
proxy

2 Replies

Sort By
  • shopkeeper56_23's avatar
    shopkeeper56_23
    Icon for Cirrostratus rankCirrostratus
    Apr 19, 2016

    Hi Fabou,

     

    You can configure the Big IP to be an explicit proxy and perform SSL inspection via LTM. This means that the client SSL terminates on the Big IP and and "airgap" is created between the SSL of the client and the end server, since the Big IP will create another SSL connection to the external site. I recommend however that you do this in conjunction with the SWG (Secure Web Gateway) URL DB so not to inspect clients private information (financial, health etc.).

     

    F5 has thorough documentation on how to set this up here.

     

    https://www.f5.com/pdf/deployment-guides/ssl-intercept-dg.pdf

     

    • Fabou_139732's avatar
      Fabou_139732
      Icon for Nimbostratus rankNimbostratus
      Apr 21, 2016
      Thanks for your answer. I will keep this in mind. Also please note that my case client to F5 is HTTP then I want F5 to servers be HTTPS.