Forum Discussion

Alain_Morin_147's avatar
Alain_Morin_147
Icon for Nimbostratus rankNimbostratus

My understanding is that in a reverse-proxy scenario, the "verint.ext.videotron.com" certificate would be located on both backend servers (snverapp1 & snverapp3) servers. This is not possible because on the applications residing on those backend servers. So, in my case, the BIG-IP must hold the "verint.ext.videotron.com" certificate and load balance traffic between the 2 backend servers using SSL. This is why my perception is that I should use forward proxy. This is why I applied the "SSL forward proxy client and server authentication" procedure and I don't understand why it is not working. The difference I noticed between the 11.3.0 and 11.5.0 reside in the "Server SSL forward profile" section. Using Google Chrome, I have a more verbose response where the error shows: Error type : Malformed certificate Object : snverapp3.ext.videotron.com Issuer : testverint.ext.videotron.com

 

Cory_50405's avatar
Cory_50405
Icon for Noctilucent rankNoctilucent
Mar 18, 2014
Forward proxy behavior is fundamentally different than reverse proxy. In reverse proxy mode, the LTM is presenting the client with the web server's certificate and acting on behalf of the server. In forward proxy mode, the LTM is acting on behalf of the client by fetching content and returning to the client. Both Kevin and I agree you should be setup in a reverse proxy mode. Can you try reconfiguring your SSL profiles as I have indicated in a previous post and see if that works?