Forum Discussion
Andre_Lofton_14
Nimbostratus
NimbostratusHow to configure SSL Pass-through
Currently I have a standard VIP setup using a SSL client profile and SSL server profile. How do I configure it for pass-through?
Brad_Parker
Cirrus
CirrusIf you want to still be able to use an HTTP profile you will have to select the Proxy SSL option in both of your profiles. That will also require your pool members to support all the ciphers you make available in the client SSL profile and you will need to disable Diffie-Hellman ciphers. https://support.f5.com/kb/en-us/solutions/public/13000/300/sol13385.html
If you don't need to use an HTTP profile you can just remove both of your client and server SSL profiles.
R_Marc_77962Nimbostratus
Nimbostratusand you are correct. That seems like an odd implementation. It would just require a session table; hell you could easily do that in an iRule. There's at least one thing NetScalers do better than F5's I guess.
You cannot use SSL persistence with the following configurations:
With a virtual server configured with a Server SSL profile. If the BIG-IP system is configured to terminate and re-encrypt SSL connections, a different SSL session ID is used for the node-side connection than is used for the client-side connection. As a result, you cannot use SSL session ID persistence in combination with re-encryption.
With a virtual server configured for Client Authentication. For example, if the Client SSL profile is configured to request a Client SSL certificate for client authentication, you cannot use SSL persistence.
