F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

DaleLeBlanc_140's avatar
DaleLeBlanc_140
Icon for Nimbostratus rankNimbostratus
Sep 16, 2014

Outbound Virtual Server with SSL

I am trying to configure an outbound virtual server (meaning my internal app servers will communicate with the VS) that use a pool with a pool member that is on the Internet. The communication with the external server is SSL, but I need communication from the app servers to be port 80.

 

So, traffic will be unencrypted between internal app servers to virtual server, but needs to be SSL between LTM and the pool members.

 

In my sample config, I use an encrypted site (yahoo.com). So, my app server would communicate to http://yahoo.com, but communication between LTM and yahoo is SSL.

 

I have setup the following:

 

Virtual Server: 10.1.1.100:80 Http Profile: http SSL Profile (Client): NONE SSL Profile (Server): serverssl-insecure-compatible SNAT Pool: Auto Map

 

Pool Config: Health Monitor: https Member: 206.190.36.45:443 (this is IP of yahoo.com)

 

This is not working as desired. What am I missing?

 

application delivery
design
LTM

3 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Sep 16, 2014

    The config looks about right, but I think what you're going to find is that the server (ie. yahoo.com) is going to respond with https:// URL references. If you do a client side capture (Fiddler, HTTPWatch, etc.) you're going to see document object references and redirects pointing back to the real https:// URL. Interestingly, this is the exact opposite problem that most people have when trying to do https in front of an http site. If this is indeed what you're experiencing, then you'll necessarily have to rewrite all of these URLs. That can be done with an iRule and a stream profile, but it may make a ton easier to simply do SSL on the client side and SSL on the server side. You then still have the decrypted traffic in the middle.

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Sep 16, 2014

    So just to level set:

     

    1. Port 80 VIP
    2. HTTP profile
    3. Server SSL profile
    4. Automap SNAT
    5. Pool with port 443 server(s)

    Is that about right? Do you have the ability to do a capture on the unencrypted client side?

     

  • Stuart_Kirby_32's avatar
    Stuart_Kirby_32
    Icon for Nimbostratus rankNimbostratus
    Jul 21, 2017

    Hi Dale, Did you ever resolve this issue? I'm having the same issue.

     

    Thanks Stuart