Forum Discussion

igorzhuk's avatar
igorzhuk
Icon for Altostratus rankAltostratus
Sep 22, 2018

F5 Foward Proxy Vip

Hi, I have VIP that forwards internal client to the internet (F5 Like a Proxy)

 

I want to record SSL traffic (Decrypt and Encrypt SSL traffic)

 

When Client connect to Public Web Site that needs a Client Certificate - request coming from outside

 

For this work, I need to do a proxy SSL ( for client Cert Request forward to internal Client) in this case what I need to configure in Client SSL Profile and Server SSL Profile?

 

Server-side is an internal Client that going to Internet Client-side is an Internet I want to record SSL data also when proxy SSL

 

application delivery
devops
iRules
LTM

1 Reply

Sort By
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Sep 22, 2018

    You can't really do ProxySSL for outbound traffic. ProxySSL requires access to the server's private key, and in most cases you won't have a remote Internet server's private key. ProxySSL also only works with non-perfect forward secret ciphers (RSA only), which is getting much harder to accommodate.

     

    For outbound traffic, if you need to decrypt, you'd need to use SSL Forward Proxy. This is a function whereby you import a local CA certificate and private key to the F5, and that local CA re-issues (forges) remote server certificates to the local clients (that trust the local CA).

     

    As for outbound traffic that requires a client cert, you obviously cannot decrypt this. You can't even decrypt this with ProxySSL. However in BIG-IP version 13.1, there's a client certificate detection option in SSL Forward Proxy that allows you to automcatically bypass decryption when mutual auth is detected.

     

    And if you need to inspect the decrypted outbound traffic, I'd recommend looking at the SSL Orchestrator product, which provides all of this functionality for you.