Ideas on how to measure performance hit of SSL on a VIP?

I was able to confirm that SSL was my problem. By setting up a seperate VIP that uses the same pool, but the VIP doesn't use SSL, I was able to close the gap between the time it takes to run through our F5 and Firewall as compared to going directly to a back-end server whereby the client and server are both inside our firewall. But of course, getting rid of SSL is not an option for our websites (It just explains the almost 100% performance degradation). This was all tested using a client machine that is internal to our network. Once I took that client to an offiste location and tested using a slow speed wireless connection at a resturaunt, SSL or no SSL makes no noticeable difference, because the propagation delay and bandwidth constraints cause page load times to increase 5-fold anyway, and the SSL delays become overshadowed by the network delays.

 

 

Which brings me to a new twist to this tale I need your help with now. The websites in question offer content both to employees of my company (internal clients, who get to it via the same F5/firewall path as external clients, but at much higher "LAN" speeds), and it serves content to customers and member across the Internet. I'd like to experiment with LAN-Optimization and WAN-Optimization techniques, which are available on the [tcp] protocol profiles. Typically we use the default tcp profile. If I wanted to begin using a tuned profile for LAN or WAN users, can it be done with a single VIP and somehow select the profile based on the IP address of the client? It seems to me this is impossible because the TCP connection to the LTM is already established by the time I can run an iRule against it to select a certain protocol profile. If there is a way to do this and anyone can point me to an example, I'd appreciate it.

 

Another question is on the "client" vs. "server" protocol profiles. By default the server profile in LTM uses whatever is specified as the client profile. Does it make sense, if trying to optimize for slow WAN connections, to use wan optimization profiles on the [LTM VIP Configuration Setting] "Protocol Profile (Client)" side which is facing the end user, and use a LAN optimized profile on the "Protocol Profile (Server)" side which is on the same subnet as an interface of the LTM, just one hop away at LAN speeds?