Forum Discussion
NimbostratusF5 iRule redirect with an SSL Pass-Through VIP
Got a question regarding F5 and SSL passthrough. I think what is being asked is not possible, but I wanted to ask the devcentral experts.
Client it wanting to put a CITRIX Netscaler behind the F5 LTM with their own SSL cert. They would like the LTM to use SSL Passthrough to the Netscaler while also using an http header redirect to the uri /vpn/index.html
My understanding is that if we are using an SSL passthorugh we can't modify the http header, thus rendering the uri redirect iRule useless. Is there a way around this or is this just not possible?
Thanks in Advance
Faruk_AYDINHi Guy,
You cannot do anything in http header including redirection if you use SSL passthrough. That is it. If you want to redirect your users in LTM, you have to offload SSL.- Kai_Wilke
MVP
Hi dcampbell79,
basically you have different options to handle SSL traffic...
SSL Termination = Client -> Client Side SSL -> F5 (is able to inspect SSL) -> Server Side SSL -> Server) SSL Offload = Client -> Client Side SSL -> F5 (is able to inspect SSL) -> Server Side HTTP -> Server) TCP Forward = Client -> Client Side SSL -> F5 (is not able to inspect SSL) -> Client Side SSL -> Server) SSL Proxy = Client -> Client Side SSL -> F5 (is able to inspect SSL) -> Client Side SSL -> Server)So configuring the SSL Proxy on your F5 would allow you to inspect the SSL Session and also Redirect the client without terminating and reestablishing the SSL session between your clients and netscalers (e.g. required for SSL certificate authentification).
https://support.f5.com/csp/article/K13385
Note: But keep in mind, that this mode does not work with modern DHE or ECDHE cipher suites...
Cheers, Kai
Ilian_IvanovYou are right. There is no workaround. In order to modify any parts of HTTP traffic you will need at least client SSL profile.
