Forum Discussion
NimbostratusGetting client original source IP for SSL/TLS session terminated by the servers to perform authentication and authorization, not F5
Is it correct that if I use Proxy SSL feature for both client and server profiles in the virtual server, I will get the client original source IP for all SSL/TLS sessions handled by the back-end servers? I assume SNAT has to be disabled. How can I force the reply/response packets to clients via the reversed path to F5 1st and from F5 to clients? Do I have to use bi-directional "GRE" or "IPIP" tunnels from F5 to back-end servers?
Thank you very much for any suggestions/recommendations.
Hai Nguyen
2 Replies
- Kevin_Stewart
Employee
Routing is independent of SSL, so any routing configuration would be the same regardless of how or if you applied SSL offload. So with SSL/TLS/ProxySSL removed from the equation, in order to get the client's IP address to the server, simply do not apply a SNAT profile. To get the server to respond to the client back through the F5, you would need to configure the server to use the F5's internal self-IP as its default gateway, or set a static route if you know all of the client subnets.
- Kevin_Stewart
If I configure F5's internal self-IP as the servers' default gateway, can F5 be functioning as the router forwarding the package to the true default router if the server's package is not originated from F5?
Forwarding and routing responses are two different things. At a minimum, you'd need to tell the server to route back through the F5 for any requests it received from the F5, and you can do that by setting the server's default route as the F5's internal self-IP. For that same server to be able to access the world through the F5, for traffic originating at the server, you'd need to also create an internal forwarding VIP (IP forwarding - 0.0.0.0/0:0 - SNAT outbound as required), and then apply a default route on the F5 that points to the true outbound router.
