Forum Discussion
Yugandhar
Nimbostratus
NimbostratusReg VIP Forwarding using iRule.
Hi, When we forward the request from a VIP that is listening on port 443 to a new VIP which is also listening on port 443 then :-- 1. SSL Handshake negotiation happens with the 1st VIP a...
Stanislas_Piro2
Cumulonimbus
Cumulonimbusif you want to forward based on host header which may be the same value as Servername tls extension, you can use sni routing
https://devcentral.f5.com/s/articles/sni-routing-with-big-ip-31348
with this, don’t assign a clientssl profile to outside virtual server
YugandharNimbostratus
NimbostratusThank you Stanilas
- Yugandhar
Hi Stanislan,
In this case SSL client profile would be applied to both VIPs.
Could you also please tell me the message that the client web browser receives from the F5 (1st VIP) after the irule statement virtual "/External/xyz.com--443" is executed ?
Would like to know whether client receives a HTTP 302 ( redirect message ) or something else.
Thanks,
Yugandhar.
- Stanislas_Piro2
virtual command forward the TCP connection to new VS.
there is no HTTP response.
So if :
- the outside virtual server has client side encryption configured (client ssl profile assigned)
- he outside virtual server has client side has server side clear connection configured (no serverssl profile)
- the inner virtual server has clientssl profile
The client MUST initiate TLS handshake inside first TLS connection, which may not work....
If you want to decrypt connection on the inner VS, you must have :
- No Client SSL + Server SSL profiles assigned to the outside VS
- Both Client SSL + Server SSL profiles assigned to the outside VS