Forum Discussion
InquisitiveMai Would you be able to provide a connectivity flow diagram as well as an example of what type of communication is occurring? I'm just not seeing why F5A would even need to be involved in the communication flow other than to forward traffic onto F5B like it does any other communication. Typically on F5A you have a forwarding VS that will route any traffic other than all the other VS to the destination. So clientA which is a node behind F5A would initiate an SSL connection to a VS on F5B which is encrypted after the SSL handshake and then F5B will balance that communication to pool members in the pool that is associated to the VS on F5B which would be an encrypted connection from end to end without involving F5A other than forward traffic like it would for any other routed traffic passing through it.
- InquisitiveMaiCirrostratus
I am just trying to see if there is anything we could do to use the VIP ip address or a single ip address for client connection similar to home internet NAT. Just a thought to see if there is anyway we can reduce updating the cert on multiple clients. Also using a same ip to reduce the number of firewall rules when different clients( which may be a node behind aF5) try to talk to another vip on different f5.
InquisitiveMai You should be able to do something similar to what's in the following link and apply it to the forwarding virtual server.
https://community.f5.com/t5/technical-forum/irule-snat-based-on-destination-ip-address/td-p/133444
- zamroni777Nacreous
1. create https virtual server in F5_B (assign client ssl profile)
2. assign ssl server profile to virtual server of F5_A