For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Angel_Lopez_116's avatar
Angel_Lopez_116
Icon for Altostratus rankAltostratus
May 07, 2014

Redirect traffic to one VS to another

I've been asked to redirect access to a VS to another one. The problem here is that the target VS is an HTTPS VS and the BIG-IP doesn't open the SSL so I can't configure an HTTP 301 redirect.   I'...
application delivery
iptables
LTM
redirect
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
May 07, 2014

It's definitely going to be difficult to inject any application layer logic without decrypted access to it. You could:

 

  1. Create a NAT on the BIG-IP - more or less the same approach as your iptables idea, but within TMOS.

     

  2. Create a layer virtual server - 443 destination port, 443 destination pool, no SSL offload. This, in my opinion, is better than the first approach because you can at least load balance the back end service and apply health monitors.

     

Both of these approaches assume you can route to the other service from the BIG-IP and you're okay making this the path to access this service.

 

All that said, please also consider what you gain when you offload SSL at this default-deny security appliance, and what you lose when you don't. In many cases, the strict interpretation and enforcement of "end-to-end" SSL is overcome by the benefits of offloading that client side SSL to a secure proxy.