For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Prince's avatar
Prince
Icon for Altostratus rankAltostratus
Jan 18, 2018

How to make F5 act as proxy for forwarding traffic to external website

Scenario is as below :   F5 deployed as reverse proxy. Internal server is initiating connection to a external URL on internet. External website does not accept TLS1.2 connections. Internal ser...
application delivery
BIG-IP
LTM
Leonardo_Souza's avatar
Leonardo_Souza
Icon for Cirrocumulus rankCirrocumulus
Jan 18, 2018

It is possible, but has problems.

 

To be able to change from TLS1.2 to TLS1.1, you need to terminate and initiate the SSL connection to the external server.

 

That causes 2 problems:

 

1 - Your server will see a different certificate, as you don't have the external server private key, so you need to create or use another one.

 

2 - The F5 connection to the external server will not validate the external certificate, by default. You can import that the CA certificates, and setup that.

 

So, basically, create a standard virtual server with the external server IP as a destination, and source as the internal server IP or network. Also, create a pool with the external server IP, and link to the virtual server. Configure and link to the virtual server, the clientssl and serverssl profiles.

 

That is with LTM.

 

However, if you go to SWG, that is simpler:

 

https://f5.com/products/big-ip/secure-web-gateway-services-swgs

 

In that case you can setup SWG as an explicit proxy, and the request will be sent to the proxy. If should then be able to negotiate the correct TLS protocol version with the external server.