Forum Discussion
NimbostratusClones pools with end to end SSL
Good afternoon,
I am looking for a way to send unencrypted data to an IDS via a clone pool on a VIP that requires end to end encryption.
I've configured a test virtual server with client and server side SSL profiles.
I've tested with the clone pool configured on the virtual server on the serverside and clientside contexts. Both show the SSL SSL handshake and then the payload is encrypted.
I've also tested using the HTTP_REQUEST event in an iRule and it shows me just the serverside encrypted traffic.
ltm virtual test-active-active-https { destination 172.31.11.8:https ip-protocol tcp mask 255.255.255.255 pool test-active-active-https profiles { clientssl { context clientside } http { } serverssl { context serverside } tcp { } } rules { cloning-fun } source 0.0.0.0/0 source-address-translation { type automap } translate-address enabled translate-port enabled vs-index 6 }
ltm rule cloning-fun { when HTTP_REQUEST { clone pool clone-pool pool test-active-active-https } }
Thoughts? Can it be done without leaving the serverside unencrypted?
Thanks!
-C
4 Replies
Greetings, There's a post that seems to speak to this question. The intro says "it's very easy to implement", but it does use route domains and vlan groups. Both of those features usually require some additional considerations and planning.
Kevin
- JRahm
Admin
There is an iApp that has a lot of options, one of which covers clone pools. You can read about it here and grab the iApp and deployment guide.
Charles_LambThanks Kevin. Using multiple route domains worked in my testing.
Hi Jason. This is my first time playing with iApps so I may be missing out on something. Quickly going over the docs it sounds like the security device needs to be in line and standing up a connection to the egress VIP. Am I understanding this correctly?
- JRahm
inline is one potential mode, but there is a receive-only mode as well that takes advantage of clone pools.
