F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

dcampbell791's avatar
dcampbell791
Icon for Nimbostratus rankNimbostratus
Dec 06, 2017

F5 iRule redirect with an SSL Pass-Through VIP

Got a question regarding F5 and SSL passthrough. I think what is being asked is not possible, but I wanted to ask the devcentral experts.   Client it wanting to put a CITRIX Netscaler behind the ...
application delivery
BIG-IP
iRules
Kai_Wilke's avatar
Kai_Wilke
Icon for MVP rankMVP
Jan 26, 2018

Hi dcampbell79,

basically you have different options to handle SSL traffic...

SSL Termination = Client -> Client Side SSL -> F5 (is able to inspect SSL) -> Server Side SSL -> Server)
SSL Offload     = Client -> Client Side SSL -> F5 (is able to inspect SSL) -> Server Side HTTP -> Server)
TCP Forward     = Client -> Client Side SSL -> F5 (is not able to inspect SSL) -> Client Side SSL -> Server)
SSL Proxy       = Client -> Client Side SSL -> F5 (is able to inspect SSL) -> Client Side SSL -> Server)

So configuring the SSL Proxy on your F5 would allow you to inspect the SSL Session and also Redirect the client without terminating and reestablishing the SSL session between your clients and netscalers (e.g. required for SSL certificate authentification).

https://support.f5.com/csp/article/K13385

Note: But keep in mind, that this mode does not work with modern DHE or ECDHE cipher suites...

Cheers, Kai