For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

hai1001_138479's avatar
hai1001_138479
Icon for Nimbostratus rankNimbostratus
Apr 21, 2014

Getting client original source IP for SSL/TLS session terminated by the servers to perform authentication and authorization, not F5

Is it correct that if I use Proxy SSL feature for both client and server profiles in the virtual server, I will get the client original source IP for all SSL/TLS sessions handled by the back-end serv...
application delivery
BIG-IP Access Policy Manager (APM)
design
LTM
security
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Apr 21, 2014

Routing is independent of SSL, so any routing configuration would be the same regardless of how or if you applied SSL offload. So with SSL/TLS/ProxySSL removed from the equation, in order to get the client's IP address to the server, simply do not apply a SNAT profile. To get the server to respond to the client back through the F5, you would need to configure the server to use the F5's internal self-IP as its default gateway, or set a static route if you know all of the client subnets.