Forum Discussion
AltostratusHow to make F5 act as proxy for forwarding traffic to external website
Scenario is as below :
- F5 deployed as reverse proxy.
- Internal server is initiating connection to a external URL on internet.
- External website does not accept TLS1.2 connections.
- Internal server is initiating connection on TLS1.2
I need F5 to act as full proxy and initiate connection on TLS1.1
Lets say, if this is generic external website ( eg google.com , google.com etc.. ), is is doable to make F5 act as a proxy to handle this connection. If so how ?
Any suggestions are much appreciated ?
2 Replies
Leonardo_SouzaCirrocumulus
It is possible, but has problems.
To be able to change from TLS1.2 to TLS1.1, you need to terminate and initiate the SSL connection to the external server.
That causes 2 problems:
1 - Your server will see a different certificate, as you don't have the external server private key, so you need to create or use another one.
2 - The F5 connection to the external server will not validate the external certificate, by default. You can import that the CA certificates, and setup that.
So, basically, create a standard virtual server with the external server IP as a destination, and source as the internal server IP or network. Also, create a pool with the external server IP, and link to the virtual server. Configure and link to the virtual server, the clientssl and serverssl profiles.
That is with LTM.
However, if you go to SWG, that is simpler:
https://f5.com/products/big-ip/secure-web-gateway-services-swgs
In that case you can setup SWG as an explicit proxy, and the request will be sent to the proxy. If should then be able to negotiate the correct TLS protocol version with the external server.
On LTM SSL Forward Proxy (!!! not Proxy SSL) may work for you
https://devcentral.f5.com/articles/whiteboard-wednesday-ssl-proxy-solutions
