Forum Discussion

Andre_Lofton_14's avatar
Andre_Lofton_14
Icon for Nimbostratus rankNimbostratus
Nov 17, 2015

How to configure SSL Pass-through

Currently I have a standard VIP setup using a SSL client profile and SSL server profile. How do I configure it for pass-through?  
application delivery
LTM
Brad_Parker_139's avatar
Brad_Parker_139
Icon for Nacreous rankNacreous
Nov 17, 2015

If you want to still be able to use an HTTP profile you will have to select the Proxy SSL option in both of your profiles. That will also require your pool members to support all the ciphers you make available in the client SSL profile and you will need to disable Diffie-Hellman ciphers. https://support.f5.com/kb/en-us/solutions/public/13000/300/sol13385.html

 

If you don't need to use an HTTP profile you can just remove both of your client and server SSL profiles.

 

  • Andre_Lofton_14's avatar
    Andre_Lofton_14
    Icon for Nimbostratus rankNimbostratus
    Nov 18, 2015
    I do have to use the HTTP profile because I need to have a persistence setting SSLSERVER. But can this be done just on the VIP or do I have to create a custom server profile just for this VIP so I don't affect the parent profile for other VIP's and select the Proxy SSL. Also to confirm I need to do this on the Client and the Server side SSL profile?
  • Brad_Parker_139's avatar
    Brad_Parker_139
    Icon for Nacreous rankNacreous
    Nov 18, 2015
    yes, you should create a custom client and server SSL profile and enable it on both. Be sure to read the SOL for any gotchas. Also, you say you need an HTTP profile for persistence. What kind of persistence are you using?
  • R_Marc_77962's avatar
    R_Marc_77962
    Icon for Nimbostratus rankNimbostratus
    Nov 19, 2015
    Persistence can be done on SSL session ID as well. Not quite as good, in general, as cookie insert but better than source IP. If you are proxying http traffic, however, you have more options available to you with an http profile. If it's TCP over SSL of a non-HTTP variety, obviously don't. Also, IMNSHO, always create a custom profile, for every VIP and every profile type (same for persistence). I've seen too many clients break because of an innocuous change to one of the default profiles (also it's very cheap to say "create ltm profile my-new-profile- { } ")
  • Brad_Parker_139's avatar
    Brad_Parker_139
    Icon for Nacreous rankNacreous
    Nov 19, 2015
    Just FYI you can't use SSL session id persistence on a vip that is using a client SSL profile.
  • R_Marc_77962's avatar
    R_Marc_77962
    Icon for Nimbostratus rankNimbostratus
    Nov 19, 2015
    Wasn't aware of that. That seems odd to me, but thanks for the info (not that I don't believe you, but I'm gunna validate)
  • R_Marc_77962's avatar
    R_Marc_77962
    Icon for Nimbostratus rankNimbostratus
    Nov 19, 2015
    and you are correct. That seems like an odd implementation. It would just require a session table; hell you could easily do that in an iRule. There's at least one thing NetScalers do better than F5's I guess. You cannot use SSL persistence with the following configurations: With a virtual server configured with a Server SSL profile. If the BIG-IP system is configured to terminate and re-encrypt SSL connections, a different SSL session ID is used for the node-side connection than is used for the client-side connection. As a result, you cannot use SSL session ID persistence in combination with re-encryption. With a virtual server configured for Client Authentication. For example, if the Client SSL profile is configured to request a Client SSL certificate for client authentication, you cannot use SSL persistence.