Forum Discussion

John_Krum's avatar
John_Krum
Icon for Cirrus rankCirrus
Jul 07, 2021

Policies to move HTTPS traffic

I am trying to share a 443 NAT on a firewall sending traffic to the LTM. Once it gets to the F5 I want formview.xxx.org to go to pool-Forms and WEBview.xxx.org to go to pool-WEB. Is that possible with HTTPS traffic? Do the nodes need to use http?

 

Its been 10 years since I have worked on LTMs - I have a fair amount of refreshing and catching up. Thanks in advance.

John

  • Hi John,

     

    yes, it is possible. You could use LTM Traffic Policies to match the HTTP Host value and forward traffic to the pool accordingly. Get started with this article: devcentral - LTM Policy

    A policy rule could look like this

    And for the SSL profile take a look at this solution: K13452: Configure a virtual server to serve multiple HTTPS sites using the TLS Server Name Indication feature

    With SNI you can configure which SSL certificate will be used to authenticate the VS to the client and to secure the connection.

     

    KR

    Daniel

     

     

    • John_Krum's avatar
      John_Krum
      Icon for Cirrus rankCirrus
      I have looked at the first reference link earlier as well. Here is more detail regarding what I am trying to accomplish. I have a outside firewall NAT for incoming 443 traffic on 96.103.236.222 that forwards that traffic to a LTM VIP 192.168.5.5 listening on 443. I am trying to have sites Viewforms.mycompany.org And Employee.mycompany.org (I am also thinking it might be better to do Mycompany.web.org/viewforms And Mycompany.web.org/employees But the first one is preferred) The VIP is basic. HTTP profile is HTTP – I have to select a http or a http-connect profile (this is where I am not sure why I require an http profile, it makes me think that the server connection is http) Automap Resources I don’t have a default pool selected (I did to verify I get the login page prior to adding a policy) Policy is DMZ-Cop DMZ-Cop is Match HTTP Host -> host -> is -> any of -> Viewforms.mycompany.org or viewforms -> at request time Do the following Forward traffic -> to pool -> viewforms-pool When I https to the page Viewforms.mycompany.org I do not see any policy statistics, invoked or succeeded. I haven’t tried adding any info for the second site. Once I change the VIP config http profile (client) to http – I no longer connect to the login page. I do see TCP handshake, Client Hello, and an ACK to that. 1.5 seconds later a FIN from my side. Thanks John Krumenacher
      • Daniel_Wolf's avatar
        Daniel_Wolf
        Icon for MVP rankMVP

        This is gonna be a detailed one...

        First of all the virtual server - you mentioned that publishing the virtual server with port 443.

        So your virtual server should have a HTTP profile and several clientside SSL profiles.

        No serverside SSL and also using SNAT Automap (in prod I'd use SNAT Pool).

        In this example I have one for each FQDN.

        This is how my VS looks like.One of the clientside SSL profile has the checkbox "Default SSL Profile for SNI"checked.

        All others have only a Server Name set.

        However all SSL profiles have the same Key / Cert, but all FQDNs are in the SAN.

        And finally this is my LTM Traffic Policy for content switching based on FQDN.

        You could add a logging action too, to each rule to check whether the condition is matched.

         

    • John_Krum's avatar
      John_Krum
      Icon for Cirrus rankCirrus
      Daniel, Looking closer at the pcaps and the conf VS to serve multiple HTTPS sites I switched up my policy. Now I can see that the policy is getting both invoked and succeeded hits of equal amounts. DMZ-Cop is Match SSL Extension -> server name -> is -> any of -> Viewforms.mycompany.org or viewforms -> at client hello Do the following Forward traffic -> to pool -> viewforms-pool I have the same end results. No Server hello in reply to the client hello. I assume this is due to the fact that the server has the cert and I am directing traffic to it via a profile? [cid:image003.jpg@01D77337.919E86C0] Thanks again, John Krumenacher