Hi,
if you want to control the l7 traffic with APM then yes that's your only choice. But There is another way to achieve your goal,
you can control traffic to those encrypted apps using LTM policy based on SNI.
no need to decrypt SSL, the policy will evaluate the SNI (which is based on the hostname) and you can create your desired action based on that.
for example you can drop traffic, log it, redirect it to an error page..
steps to do that:
- make sure you have LTM license (required for the ssl persistence profile you will need)
- create a 0.0.0.0/0:443 virtual server INSIDE the tunnel. (no HTTP profile, no SSL profiles)
- attach an SSL persistence profile to the virtual server (that will allow the bigip to parse the ssl hello packet and read the SNI)
- create the policy that's using that.
have a look at the following example for greater details on SNI and LTM policy :
https://devcentral.f5.com/s/articles/sni-routing-with-big-ip-31348
hope it helps.