Forum Discussion
Michaelyang
Cirrostratus
CirrostratusClient vs Server SSL profile
Hello, Here's my structure client side - [client ssl profile ] - big-ip - [server ssl profile ] - server side If the server has its own certificate and key, do the F5 client SSL profile and s...
Hi Michaelyang ,
As Amine_Kadimi , its mandatory to implement client and server side ssl profile.
> Regarding Client side :- you must install a valid signed certificate from CA and its relevant key.
- In Full Proxy architecture mode , you need to add client ssl profile " attached to it ( Valid signed Digital Certificate , and Key ) "
- then , assign this profile to your virtual server.
- that’s For ssl termination and Traffic Decryption on F5.
>regarding Servers side :
- F5 able to initiate a secure connection again with servers by using the default server side ssl profile "serverssl" , it is sufficient for that as long you do not want to put restrictions on specific Cipher suites or Authenticate by using certificate in this case you need to create a custom server ssl profile and change some configuration on this profile depending on your requirements.
- So it is not mandatory to put the server certificate on servers side ssl profile , as the default profile can accept "any" and Re-encrypt traffic again as well.- Assigning servers ssl profile means that you want F5 it self to act as a ssl client to backend servers.
Regards.
Hi Michaelyang ,
As Amine_Kadimi , its mandatory to implement client and server side ssl profile.
> Regarding Client side :
- you must install a valid signed certificate from CA and its relevant key.
- In Full Proxy architecture mode , you need to add client ssl profile " attached to it ( Valid signed Digital Certificate , and Key ) "
- then , assign this profile to your virtual server.
- that’s For ssl termination and Traffic Decryption on F5.
>regarding Servers side :
- F5 able to initiate a secure connection again with servers by using the default server side ssl profile "serverssl" , it is sufficient for that as long you do not want to put restrictions on specific Cipher suites or Authenticate by using certificate in this case you need to create a custom server ssl profile and change some configuration on this profile depending on your requirements.
- So it is not mandatory to put the server certificate on servers side ssl profile , as the default profile can accept "any" and Re-encrypt traffic again as well.
- Assigning servers ssl profile means that you want F5 it self to act as a ssl client to backend servers.
Regards.