For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

spud_141786's avatar
spud_141786
Icon for Nimbostratus rankNimbostratus
Mar 31, 2014

"Most effective" can be many different things, depending on the objectives you need to achieve. That being said, since you specify "without the SSL termination happening on the BIGIP", you just need to configure a virtual server to listen on TCP port 443, and then configure the pool members with a service port of 8443. In the virtual server configuration there is no need to specify any SSL Profile, the F5 will simply load balance incoming connections on TCP port 443 to the pool members on service port 8443. This is often called SSL Tunneling becasue the SSL session is "tunneled" through the F5 device. Depending on requirements this may work just fine, but there are a few caveats:

 

  1. the F5 will not be able to see traffic inside the SSL session
  2. the F5 may not be able to effectively provide session persistence

If either of these caveats are cause for concern, then you may want to do SSL offload, meaning the F5 terminates the SSL session coming from the client and then optionally initiates a new SSL session towards the pool members.

 

Lazar_92526's avatar
Lazar_92526
Icon for Nimbostratus rankNimbostratus
Mar 31, 2014
Also - remember that if you have ASM in play, that tunneling/passthrough will not allow ASM to inspect and apply any security rule sets that may be set. So as bdy stated, most effective needs to take you overall security controls and requirements as well.