Forum Discussion

phillip-Newbie's avatar
phillip-Newbie
Icon for Nimbostratus rankNimbostratus
May 13, 2021

Big-IP and reserved SSL port numbers

Hello,

We have Big-IP and an application that currently uses a reserved port (for example 4799) for Client-server communication.

What options do we have from a Big-IP perspective.

Is Big-IP "pass through" the only option or is there any suggestions or previous documents / discussion that I could research?

 

Could I get BIG-IP to decrypt/encrypt the communication between the client and F5 and forward the communication on to the server using a different port number (ie, 799) in decrypted form?

 

 The steps that I think need to happen are as follows :-

1) Import the SSL Certificate and Key & Configure the SSL Profile

2) Create / Configure the Server Pool with an address / service port / Round Robin 

3) Create a virtual server with a service port and add the SSL Profile with destination address and service port

 

I am new to Big-IP and I have a lot to learn :-)

Thanks in advance for anyone giving me a direction to look at !

  • Hi,

    Configuring SSL Offloading, SSL Bridging or SSL Pass-through depends on your requirement and type of design. To know more about these modes, you can check below article.

     

    https://support.f5.com/csp/article/K65271370

     

    Now coming to your question. Lets say, you want your application on secured port 443 from Internet and you have your application running on port 799 with no encryption.

     

    In this case, you will need only client SSL profile to be mapped on the virtual server i.e. SSL Offloading. In this case, client request to F5 comes as encrypted. Then F5 decrypts that traffic and send plain traffic to backend pool member.

     

    In any case, if you want to have encrypted traffic on both client-to-F5 as well as F5-Backend_Server, in this case, you would need to have client ssl as well as server ssl profile on the virtual server.

     

    You need to have proper certificates and key configured under SSL profiles.

     

    Hope it helps!

    Mayur