Forum Discussion
W__Tout_99150
Nimbostratus
NimbostratusSSL encryption on outgoing requests
We have multiple 3rd parties to which we connect over https. We're considering moving the SSL encryption from our application to the load balancer to reduce the load on the application. Is it feasible?
If it is, how is the required certificate(s) going to be included in the requests and where should it/they be located on the load balancer?
hoolioCirrostratus
Hi,
You could create an HTTP VIP defined with the IP:port of the external server. Disable address translation and add a server SSL profile to the VIP. You could enable the VIP only on the VLAN that your client host is connected on. The host would connect to the VIP via HTTP. The BIG-IP would proxy a serverside connection via HTTPS.
Aaron
W__Tout_99150Thanks for the response Aaron but I honestly don't quite see how to do what you suggested. I'd appreciate it if you could provide an example.- hoolioSorry, I didn't see your last post.
If you can use an internal IP address you'd configure a pool with the pubic IP address and port you want to connect to. Then create a VIP using the internal IP address on port 80. Add a server SSL profile to the VIP and it should work.
You could also configure the VIP using the actual public IP of the external server. You'd need to disable ARP on the virtual address and ensure there is a route on the client to the public IP through LTM. Here is a sample config using Gmail as a public HTTPS site:pool gmail_https_pool { member 64.233.171.83:https } virtual address 64.233.171.83 { arp disable } virtual gmail_https_vs { destination 64.233.171.83:http snat automap ip protocol tcp profile serverssl tcp pool gmail_https_pool }
Aaron