Forum Discussion
Mike12345
Nimbostratus
NimbostratusF5 LTM SSL Bridging - send decrypted traffic to clone pool
Hi, I'm trying to lab a scenario I was asked about at work. Whether it is possible to send decrypted TLS/SSL traffic to an IDS through the clone pool. I have seen an overview stating this is possibl...
Very simply, in the proxy "HUD" chain, a clone pool sits at layer 2, whereas TLS decryption happens at layer 6. In other words, you're seeing encrypted traffic at the clone pool because decryption hasn't happened yet.
To get decrypted traffic to a clone pool you have to get past layer 6. If you're not re-encrypting to the server, you can put the clone on the server side of the proxy. If you are re-encrypting to the backend, then you'd need a VIP-target solution:
client-side VIP --> (vip target) --> server-side VIP
The client-side VIP has a client SSL profile and an iRule that VIP targets to the server-side VIP that has the server SSL profile. You can then put your clone pool on the server side (inside) of the client-side VIP, or client side (inside) of the server-side VIP.
Mike12345Nimbostratus
NimbostratusSo essentially the cloe ports pick up the traffic too early i the service process. eg prior to using i-rules for traffic manipulation.
To use clone pools to view plain HTTP traffic two sets of services are needed
two services "SSLO Offload" (decrypt) and "SSL Onload" (encrypt) and place the clone pool on the server side of the first service.
Kevin_Stewart
Employee
EmployeeYes, or client side of second VIP.
I'd also comment that SSL Orchestrator will also do this for you automatically, and also enable a policy to dynamically control decryption and traffic steering.
- Mike12345
Thanks for your steer in the right direction.
I got this working in the lab using the VIP target solution. We have a POC, so hopefully will be in touch.