Forum Discussion
Nimbostratushi
i am using a wildcard VIP to loadbalance 433 , 5222 and 5223 connections
I will using a VIP with a standard :L7 profile . Is it possible to perform SSL briding using an L7 profile for my 443 connections if not what are my options?
18 Replies
Hannes_RappYou can't access L7 information in F5 with SSL bridging. Therefore, do not apply any L7 profiles to your VS if you want to use SSL bridging (SSL bypass). If configured incorrectly, client requests will be rejected (TCP N-ACK).
I'd recommend to configure a second VS with TCP 443 port listener which will handle the SSL bridging. All other connections (non-SSL?) will be handled by your wildcard VS that has a L7 profile applied.
abi1980_184094thanks hannes I have challenge though i have only one IP which can used as the listener IP , or the VIP- abi1980_184094what are my options here
- Hannes_RappYou will not need a new IP for it. Use the same IP address for new TCP:443 port VIP. Connections will be processed by the closest-match VIP. Regards,
- Hannes_Rapp_162
Nacreous
You can't access L7 information in F5 with SSL bridging. Therefore, do not apply any L7 profiles to your VS if you want to use SSL bridging (SSL bypass). If configured incorrectly, client requests will be rejected (TCP N-ACK).
I'd recommend to configure a second VS with TCP 443 port listener which will handle the SSL bridging. All other connections (non-SSL?) will be handled by your wildcard VS that has a L7 profile applied.
- abi1980_184094thanks hannes I have challenge though i have only one IP which can used as the listener IP , or the VIP
- abi1980_184094what are my options here
- Hannes_Rapp_162You will not need a new IP for it. Use the same IP address for new TCP:443 port VIP. Connections will be processed by the closest-match VIP. Regards,
- abi1980_184094
ok , so u mean even if the same VIP with wilcard entry , all my connections will still hit my other VIP which is 443
- Hannes_RappPerhaps this will illustrate better. VS1: 1.1.1.1:0 (wildcard) VS2: 1.1.1.1:443 (TCP 443) Client requests https://1.1.1.1 (port 443); the request will go to VS2 Client requests http://1.1.1.1 (port 80); the request will go to VS1 Client opens SSH to 1.1.1.1 (port 22) ; the request will go to VS1 Client opens TCP connection 1.1.1.1:X (where X is any TCP port number except 443) ; the request will go to VS1
- abi1980_184094Thank you , i get it now for connections for 5222 and 5223 i will using a wildcard VIP and will have 2 different pools what should be the I rule applied to the Wilcard VIP to loadbalance connections across these pools
- abi1980_184094
ok , so u mean even if the same VIP with wilcard entry , all my connections will still hit my other VIP which is 443
- Hannes_Rapp
You can use the iRule below for your wildcard VS. Modify the pool names as needed.
when CLIENT_ACCEPTED { switch [TCP::local_port] { "5222" { pool pool_foo_5222 } "5223" { pool pool_foo_5223 } default { Reject connections to other TCP ports (security considerations) reject } } }- abi1980_184094thanks hannes appreciate it
- abi1980_184094Hi Hannes This last piece where you have mentioned Reject connections to other TCP ports (security considerations Is this also a part of the I rule or you just mentioned it for clarity
- Hannes_Rapp_162
You can use the iRule below for your wildcard VS. Modify the pool names as needed.
when CLIENT_ACCEPTED { switch [TCP::local_port] { "5222" { pool pool_foo_5222 } "5223" { pool pool_foo_5223 } default { Reject connections to other TCP ports (security considerations) reject } } }- abi1980_184094thanks hannes appreciate it
- abi1980_184094Hi Hannes This last piece where you have mentioned Reject connections to other TCP ports (security considerations Is this also a part of the I rule or you just mentioned it for clarity
