Forum Discussion

Vijay_01's avatar
Vijay_01
Icon for Altostratus rankAltostratus
Mar 19, 2015

HTTPS Traffic Issue

Hi Everybody,

 

I require your attention. Please help me.

 

There is a request for the F5 LTM from the users.

 

++++++++++++++++++++++++++++++++++++++++++++++++++

 

1) DNS name and VIP for end user access to clustered test servers.

 

2) Load balancing using F5 to two test Servers (SRV1731.domain.net - 141.172.24.201 and SRV1732.domain.net - 141.172.24.202). This should be configured for sticky session.

 

3) SSL termination either on F5 or on test servers.

 

Backend URL addresses are :

 

 

 

+++++++++++++++++++++++++++++++++++++++++++++++++++

 

For the Point 1, I took a URL "sailpointtest.domain.com" and mapped it in DNS server with IP 141.172.69.12.( which is reserved for VIP)

 

For SSL termination on BIG-IP LTM, I first created a CSR ( Certificate Signing Request ) and gave that CSR to our security team who then provided me the Certificate signed by a CA.

 

I imported that certificate (Sailpoint1) in the key that was generated automatically while creating CSR.

 

I made the following config on BIG-IP LTM :

 

==================================================================

 

VS Name - Sailpointtest

 

VIP - 141.172.69.12

 

Service Port : 443

 

HTTP Prifle - http

 

SSL profile ( Client ) - sailpointtest_client_ssl

 

SSL profile ( server ) - None

 

Default Pool - sailpointtest_pool

 

Default persistence profile - dest_addr ( sticky )

 

=============================================

 

Pool : sailpointtest_pool

 

Health Monitor : http

 

Load Balancing Method : Round Robin

 

Pool members : 141.172.24.201:8080 , 141.172.24.202:8080

 

=============================================

 

SSL profile ( Client ) : sailpointtest_client_ssl

 

SSL Certificates : Sailpoint1

 

===================================================================

 

The health monitor marks the pool member up and so is the Virtual Server.

 

While I am entering the URL https://sailpointtest.group.upm.com in the browser, it is circling indefinitely without giving any page or error.

 

Please help me if I am doing anything wrong.

 

1) Please let me know if I need any iRule here. I don't think I need any. Please suggest

 

2) Am I required to use Client SSL Profile in order to decrypt the HTTPS traffic on F5 ? What would happen if we don't have iRule applied on the VS and we are not using Client SSL Profile ? - Is it that traffic will be forwarded by F5 as such (https) to the Actual server after the load balancing decision has been made by LTM and the actual server need to have Certificate/Key to decrypt it ?

 

3) Are we required to give the clients any Certificate/Key for this to work ? I guess not.

 

4) One interesting thing that I observed is that connections are being made through the pool member when I hit the URL in the browser, IRRESPECTIVE OF WHETHER THE CLIENT SSL PROFILE IS APPLIED OR NOT.

 

Please help me solve the issue and answer my query.

 

Thanks in advance. Vijay Rai

 

application delivery
availability
BIG-IP Access Policy Manager (APM)
deployment
LTM
security
TMOS

2 Replies

  • Samir_Jha_52506's avatar
    Samir_Jha_52506
    Icon for Noctilucent rankNoctilucent
    Mar 19, 2015

    Hi Vijay, Please enable SNAT "Automap" & try to open url through IP address. i.e https://IP address

     

    if still problem comes, let me know.

     

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Mar 22, 2015

    Default persistence profile - dest_addr ( sticky )

     

    i do not think you should use destination address persistence. since you do ssl offloading, cookie persistence may be a better choice.

     

    1) Please let me know if I need any iRule here. I don't think I need any.

     

    what http host header do servers expect to receive? is it virtual server fqdn (sailpointtest.group.upm.com) or server fqdn (SRV1731:8080, SRV1732:8080)?

     

    and is uri (/Identityiq) supplied by user? or does it have to be added by bigip when sending request to server?

     

    2) Am I required to use Client SSL Profile in order to decrypt the HTTPS traffic on F5 ?

     

    if server is running https, you do not need clientssl profile on bigip. ssl will be passed through to server.

     

    What would happen if we don't have iRule applied on the VS and we are not using Client SSL Profile ? - Is it that traffic will be forwarded by F5 as such (https) to the Actual server after the load balancing decision has been made by LTM and the actual server need to have Certificate/Key to decrypt it ?

     

    yes

     

    3) Are we required to give the clients any Certificate/Key for this to work ? I guess not.

     

    no (you are correct)

     

    While I am entering the URL https://sailpointtest.group.upm.com in the browser, it is circling indefinitely without giving any page or error.

     

    try virtual server ip as Samir suggested and tcpdump/ssldump may be helpful.