F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

John_Krum's avatar
John_Krum
Icon for Cirrus rankCirrus
Jul 07, 2021

Policies to move HTTPS traffic

I am trying to share a 443 NAT on a firewall sending traffic to the LTM. Once it gets to the F5 I want formview.xxx.org to go to pool-Forms and WEBview.xxx.org to go to pool-WEB. Is that possible wit...
application delivery
BIG-IP
iRules
policy
John_Krum's avatar
John_Krum
Icon for Cirrus rankCirrus
Jul 07, 2021
I have looked at the first reference link earlier as well. Here is more detail regarding what I am trying to accomplish. I have a outside firewall NAT for incoming 443 traffic on 96.103.236.222 that forwards that traffic to a LTM VIP 192.168.5.5 listening on 443. I am trying to have sites Viewforms.mycompany.org And Employee.mycompany.org (I am also thinking it might be better to do Mycompany.web.org/viewforms And Mycompany.web.org/employees But the first one is preferred) The VIP is basic. HTTP profile is HTTP – I have to select a http or a http-connect profile (this is where I am not sure why I require an http profile, it makes me think that the server connection is http) Automap Resources I don’t have a default pool selected (I did to verify I get the login page prior to adding a policy) Policy is DMZ-Cop DMZ-Cop is Match HTTP Host -> host -> is -> any of -> Viewforms.mycompany.org or viewforms -> at request time Do the following Forward traffic -> to pool -> viewforms-pool When I https to the page Viewforms.mycompany.org I do not see any policy statistics, invoked or succeeded. I haven’t tried adding any info for the second site. Once I change the VIP config http profile (client) to http – I no longer connect to the login page. I do see TCP handshake, Client Hello, and an ACK to that. 1.5 seconds later a FIN from my side. Thanks John Krumenacher
John_Krum's avatar
John_Krum
Icon for Cirrus rankCirrus
Jul 13, 2021

Good Afternoon Daniel,

I have followed your guide, and the tech doc. to create the VIP/Policy and SSl profiles. I added logging as well to the policy. I am getting log entries for this policy. I have compared pcaps from going through the VIP and going directly to the server. I have captured on both the client side and server side of each. (on the VIP captures) I see the Client hello - client side, client key exchange - server side and a cipher secs finish - client side.

 

On the client side capture there is a server hello - change cipher specs and

a change cipher specs finished

that is not present in the client to server capture (no LTM)

an HTTP get / http/1.1 with the full URI https://view.mycomp.org

 

the vip ACKs the change cipher specs

ACKs the Get

and sends a RST

 

On the server side capture I get a encryption alert 21 from the VIP.

 

I think I am making progress.

 

Any ideas for me on this?

Thank you,

John