Forum Discussion
dcampbell791
Nimbostratus
NimbostratusF5 iRule redirect with an SSL Pass-Through VIP
Got a question regarding F5 and SSL passthrough. I think what is being asked is not possible, but I wanted to ask the devcentral experts.
Client it wanting to put a CITRIX Netscaler behind the ...
Kai_Wilke
MVP
MVPHi dcampbell79,
basically you have different options to handle SSL traffic...
SSL Termination = Client -> Client Side SSL -> F5 (is able to inspect SSL) -> Server Side SSL -> Server)
SSL Offload = Client -> Client Side SSL -> F5 (is able to inspect SSL) -> Server Side HTTP -> Server)
TCP Forward = Client -> Client Side SSL -> F5 (is not able to inspect SSL) -> Client Side SSL -> Server)
SSL Proxy = Client -> Client Side SSL -> F5 (is able to inspect SSL) -> Client Side SSL -> Server)
So configuring the SSL Proxy on your F5 would allow you to inspect the SSL Session and also Redirect the client without terminating and reestablishing the SSL session between your clients and netscalers (e.g. required for SSL certificate authentification).
https://support.f5.com/csp/article/K13385
Note: But keep in mind, that this mode does not work with modern DHE or ECDHE cipher suites...
Cheers, Kai
