Forum Discussion
NimbostratusFirepass with LTM without SSL offload
Hi, I would like to configure an HTTPS Virtual Server on BIG-IP LTM (11.4.1HF2) for firepass but without SSL offloading. I have to configure ssl server profile with serverssl-insecure-compatible to firepass page display. Any ideias why i have to config like that and can't configure sslserver? Do i need to configure something in Firepass? Anyone have this configuration firepass+LTM implemented without any kind of limitations or problems?
Regards, MC
5 Replies
James_ThomsonEmployee
If you don't want to do SSL offloading, then you don't need to use any ssl profiles at all. You can just create a virtual server of type FastL4. You probably want source IP persistence to maintain a client IP's persistence to a specific firepass.
Marco_Castro_11Hi, But this VS is also for APM so i need SSL Profile.
I'm migrating Firepass to APM so i would like to have the same VS in transation phase and if user type https://hostaname goes to firepass but if types https://hostname/ur1 or https://hostname/ur2 .... goes to APM. But i'm having dificulties in sending to firepass.Regards, MC
- Kevin_Stewart
You cannot see the host name or URI without terminating the SSL. Well, technically you could see the host name in the Server Name Indicator of the CLIENTHELLO message if the client was TLS-capable, but that's probably not an answer here. You may simply need to terminate the SSL, inspect the URI, and then redirect to the other device using a different name. Or, you could put an LTM virtual server in front of both APM and FirePass, terminate the SSL there, and then forward the traffic to the external Firepass box, or internal layered APM VIP.
- Marco_Castro_11
Hi Kevin,
I have the same certificate in firepass and in client ssl profile of VS in LTM/APM Big-IP. The name o certificiate resolves to ip adress of this VS in LTM/APM Big-IP. Also in this VS i have to config ssl server profile to serverssl-insecure-compatible to firepass page display. In this VS i have configured also Access Policy of APM. So my idea was to create an irule that user type https://hostaname goes to firepass but if types https://hostname/uri1 or https://hostname/uri2 .... goes to APM. when access policy is configured in VSwith i can't go to firepass pool i can only go to APM using following irule, any suggestions? when HTTP_REQUEST {
if { [HTTP::uri] equals "/" } {
ACCESS::disable pool firepasspool } elseif { [HTTP::uri] equals "/uri1" } {
ACCESS::enable log local0. "APM /uri1 " } }
Thanks Regards, MC
- Kevin_Stewart
It's actually not as simple as that. Both APM and Firepass transition through a set of URIs during policy evaluation. It's been a while since I've touched a Firepass, but I believe the URI structure is similar between them. It's not impossible, and I've done similar things on other projects, but it's certainly more than just a check for "/uri". That leaves basically two options:
-
Attempt to switch between load balanced Firepass and layered APM VIP using URI and cookie evaluation. If you have a capture of a Firepass session, that would be most helpful, as I don't particularly remember what that looks like.
-
Put Firepass and APM on two different URLs with individual certificates and find another way to switch between them. This, ironically, will most likely be the easier of the two options.
-
