Problem with SSL termination on LTM...

 

I couldn't configure LTM to balance https traffic to different pools (same target servers but different ports), depending on client IP address (using iRule), so I tried another approach...SSL termination on LTM.

 

 

 

 

The BIG-IP is probably more efficient at decrypting the SSL than the servers, but if you wanted to try your original goal of passing the SSL through encrypted, you could try two different options:

 

 

1. Create a single virtual server on port 0 (any) pointing to a single pool with the pool members also defined on port 0. Disable port translation on the virtual server so that requests to 80 go to the pool on port 80, etc. Add a source address persistence profile and you should see requests persisted to the same pool member regardless of whether the request is on 80 or 443. To restrict access to just port 80 and port 443, you could add a rule which checks the requested port in CLIENT_ACCEPTED and rejects all but 80 and 443. Else, you could use packet filters to do this.

 

 

2. You could create one VIP on port 80 and a second on 443. The pool members would also be configured on the same port. Add a custom source address persistence profile to both VIPs with 'Match Across Services' enabled.

 

 

Aaron