Forum Discussion

dcampbell791's avatar
dcampbell791
Icon for Nimbostratus rankNimbostratus
Dec 06, 2017

F5 iRule redirect with an SSL Pass-Through VIP

Got a question regarding F5 and SSL passthrough. I think what is being asked is not possible, but I wanted to ask the devcentral experts.

 

Client it wanting to put a CITRIX Netscaler behind the F5 LTM with their own SSL cert. They would like the LTM to use SSL Passthrough to the Netscaler while also using an http header redirect to the uri /vpn/index.html

 

My understanding is that if we are using an SSL passthorugh we can't modify the http header, thus rendering the uri redirect iRule useless. Is there a way around this or is this just not possible?

 

Thanks in Advance

 

3 Replies

  • Hi Guy,

     

    You cannot do anything in http header including redirection if you use SSL passthrough. That is it. If you want to redirect your users in LTM, you have to offload SSL.

     

  • Hi dcampbell79,

    basically you have different options to handle SSL traffic...

    SSL Termination = Client -> Client Side SSL -> F5 (is able to inspect SSL) -> Server Side SSL -> Server)
    SSL Offload     = Client -> Client Side SSL -> F5 (is able to inspect SSL) -> Server Side HTTP -> Server)
    TCP Forward     = Client -> Client Side SSL -> F5 (is not able to inspect SSL) -> Client Side SSL -> Server)
    SSL Proxy       = Client -> Client Side SSL -> F5 (is able to inspect SSL) -> Client Side SSL -> Server)
    

    So configuring the SSL Proxy on your F5 would allow you to inspect the SSL Session and also Redirect the client without terminating and reestablishing the SSL session between your clients and netscalers (e.g. required for SSL certificate authentification).

    https://support.f5.com/csp/article/K13385

    Note: But keep in mind, that this mode does not work with modern DHE or ECDHE cipher suites...

    Cheers, Kai

  • You are right. There is no workaround. In order to modify any parts of HTTP traffic you will need at least client SSL profile.