NimbostratusSSL decryption for IPS on REVERSE proxy
Hi,
We have been trying to get our IPS solution installed so that the Big-IP decrypts, sends to IPS, then re-encrypts before sending the packet on to it's destination.
It is on a Big-IP Reverse Proxy. All of the deployment guides only address Proxy SSL (FORWARD proxying). I understand that the difference between Reverse and Forward are significant enough that the deployment guides for Forward will not work.
The problem is that the site becomes very slow once we enable the decryption/redirection. We also see some SSL traffic on the private VLANs between the IPS and the Big-IP. This should never happen if the iRule is working properly.
The flow is from the Internet is:
Internet > Firewall > F5 1 > load balanced IPS > F5 1 > destination
Here is the iRule we are using:
when CLIENT_ACCEPTED {
perform operation on percentage of traffic
set percent [class lookup percent vip_presets]
if { rand() < $percent } {
SSL::disable serverside
log local0. "SSL disabled serverside and random selected"
get the name of the default pool and store in a variable
set app_pool [LB::server pool]
log local0. "app_pool set to $app_pool"
check for active members of the security device pool
if { [active_members IPS_Pool] > 0 } {
get load balanced L3 service
pool IPS_Pool
set L3 [lindex [split [LB::select]] 3]
log local0. "HTTPS IPS sensor selected is $L3"
use snat none if snat is enabled in VS config but
needs to be disabled for routing through security devices
snat none
} else {
inline service failed - go direct to app pool
log local0. "L3 IPS service down"
SSL::enable serverside
log local0. "ssl enabled serverside"
snat as required
snat automap
}
re-select the app pool
pool $app_pool
log local0. "HTTPS pool is $app_pool"
} else {
log local0. "HTTPS not redirected"
}
}
when LB_SELECTED {
if { [info exists L3] } {
nexthop through L3 service
LB::reselect nexthop ${L3}
log local0. "routing through IPS - HTTPS LB reselected $L3"
}
}
Any ideas, suggestions, or things to try are greatly appreciated!
