Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

dlawke's avatar
dlawke
Icon for Nimbostratus rankNimbostratus
Sep 10, 2024

iRule redirection for VIP on 443

We're migrating from NetScaler, and the one thing that NetScaler was able to do is redirect on a 'downed' VIP as a protection measure.    Basically, an application is migrating to the cloud, and we...
application delivery
Injeyan_Kostas's avatar
Injeyan_Kostas
Icon for MVP rankMVP
Sep 10, 2024

A simple irule with 302 redirect is enough in your case as said.

But there is no way to avoid SSL termination when using https.

 

So if you still have a valid cert for applicationa.contoso.com, just assign the below irule to the VS bind the cert and you should be ok.
It would better also to deassign the pool.

 

when HTTP_REQUEST {
  if { [HTTP::host] equals "applicationa.contoso.com"} {
      HTTP::redirect "https://hosted-applicationa.contoso.com"
  }
}

  • dlawke's avatar
    dlawke
    Icon for Nimbostratus rankNimbostratus
    Sep 10, 2024

    Thanks. That makes sense. I was trying to avoid even having BIG-IP even bothering looking at the packet. I just wanted the traffic to hit the VS and respond by telling them to go to the URL in the iRule. If that is not possible, then that makes sense.

     

    On the NetScaler, there were times we had to bind an 'always up' service/node to a VS in order for a feature to function like a responder or rewrite. Is that unnecessary on the F5-side?

    • Injeyan_Kostas's avatar
      Injeyan_Kostas
      Icon for MVP rankMVP
      Sep 10, 2024

      No it's not, a VS can be active even with no pool assigned