Forum Discussion
CirrostratusHTTPS virtual server with custom TCP port
MVPIreda This would only require having your virtual server (VS) listening on the respective destination IP and port 8080. The reason this doesn't work for you when you apply an HTTP profile is because you are not performing SSL termination on the F5 and since the traffic is encrypted the F5 doesn't know what to do so the connection fails. The reason you are most likely receiving an "not secure" is because the servers that you are balancing to either don't have a trusted CA SSL certificate installed, an SSL certificate that doesn't match the name in your URL, or an expired SSL certificate installed. So as an example, if you have SSL certificate for *.example.com installed on the destination servers and you use xyz.org in the URL, even though that points to the same destination IP your browser sees the missmatch and gives you that not secure error. You should be able to validate the SSL certificate that you are being provided by clicking the lock icon next to the URL in your browser or using the following curl command.
curl -Ivk "https://<url>"
Also, you do not have to configure an HTTP profile unless you are doing something to look at the HTTP header such as cookie persistence or attempting to balance based on host or uri. If you woud like to do that on the F5 just make sure you perform SSL termination on the F5 VS in question.
CirrostratusThanks for your reply, but regarding VIP port will be 8080 and protocol will be "Other" or what ?
Also, How can I do F5 SSL termination on the VS? you meaning assign SSL Profile for client side.
- Paulius
Ireda If you enter the port it should auto-select the appropriate setting. Are you referring to the drop down to the right of the service port that says HTTPS or are you referring to the protocol just below that under the configuration section that should set itself to TCP? If you want to perform SSL termination and pass the traffic decrypted to the pool members you only configure an SSL client profile with a valid SSL cert, key, and intermediate if necessary. If you want to pass encrypted traffic to the pool member after the F5 has done what it needs to you can configure both a SSL client profile and SSL server profile, the SSL server profile can be the default serverssl or other profiles that are already on the F5. You only have to adjust the SSL server profile if you only want to use certain SSL ciphers as well as a few more options.
- Ireda
Hi
Kindly check the attached, are you meaning that? , but this is a migration from Citrix to F5
In Citrix -------> port 8080 / protocol HTTP and in other VS the protocol is TCP.
How can I make the port 8080 and protocol HTTP ?
- Paulius
Ireda Those are just configuration differences between Citrix Netscaler and the F5 BIG-IP. On the BIG-IP you specify the TCP protocol rather than HTTP in the protocol section and then in the service port if you select HTTP it will auto-assign port 80. In your case you are specifying port 8080 which isn't an auto-populated name for F5 in the GUI so it states "other" rather than HTTP even though your traffic is HTTP. The nice thing about the F5 is it treats traffic from least specific to most specific by using various profiles such as TCP, HTTP, and so on. If on the Citrix you had port 8080 which accepted encrypted HTTPS traffic your VS on the F5 should be IP plus 8080 and then below it populates TCP as you are seeing in your screenshot. The following link has an unsupported unofficial tool that someone created to migrate from Citrix ADC to F5 BIG-IP which is what you are doing by the sound of it.
https://community.f5.com/t5/codeshare/citrix-netscaler-to-f5-big-ip/ta-p/277635
I personally would not use the tool because it's not supported and you will learn much more by manually migrating the configuration but if you are in a time crunch the tool might be the best path forward.
