Forum Discussion

vvskaladhar_488's avatar
vvskaladhar_488
Icon for Nimbostratus rankNimbostratus
Oct 29, 2013

Cookie persistency on https port

Hi All,

 

Can you please let me know if we can bind the cookie persistency on the VIP running with Https port ? can you please let me know if it will work with out issues ?

 

availability
design
TMSH

3 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Oct 29, 2013

    It will only work if you also offload SSL at the VIP (apply a client SSL profile). The cookie persistence profile requires access to the clear text, unencrypted HTTP traffic.

     

  • vvskaladhar_488's avatar
    vvskaladhar_488
    Icon for Nimbostratus rankNimbostratus
    Oct 29, 2013

    Hi Kevin,

     

    Thanks a lot for quick help. do you mean in the VIP i need to go to advanced and in SSL Profile (Client) and make the client ssl to selected ? before i enable cookie persistency on https VIP ?

     

    I can see there is default client ssl which comes along with F5 .

     

    waiting for your reply.

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Oct 30, 2013

    Yes, any client SSL profile applied to the VIP will provide SSL offload. This is the profile that you select in the "SSL Profile (Client)" section. Keep in mind a few things:

     

    1. Once SSL is offloaded with the client SSL profile, the traffic is unencrypted. You can send that directly to your server pool on port 80 HTTP, or if necessary you can re-encrypt with a server SSL profile.

       

    2. The client SSL profile is now the SSL server to the client. You'll want to export the application server's certificate and private key to the F5 and use those in a new client SSL profile. The built-in clientssl profile has a generic localhost.localdomain server certificate that will cause browsers to throw up a security warning.