Forum Discussion

Devlin_T_149357's avatar
Devlin_T_149357
Aug 11, 2017

SSL Forward Proxy Question

Hello all   We have a requirement to allow some servers in a DMZ to talk to a service on the internet. I was looking into the SSL Forward Proxy feature on the LTMs as this appears to provide the s...
application delivery
LTM
ssl forward proxy
Paul_Williams_3's avatar
Paul_Williams_3
Icon for Nimbostratus rankNimbostratus

So, my question is, the above seems to be designed to operate when the clients and the F5 are in the same subnet. How would we make this work if the servers were not in the same subnet.

 

I ask as we have a similar situation, but our clients (or in this case, servers) are in a different subnet and separated from the F5 by a firewall. Getting the traffic through the firewall is not an issue, but how would be get the client traffic to the F5.

 

If the VS has an address of 0.0.0.0 - how would we route traffic to it.

 

Devlin_T_149357's avatar
Devlin_T_149357
Feb 01, 2018

Hi Paul

 

Using a wildcard VS shouldn't present any issues as long as:

 

  1. You have a route (default or specific) with the next-hop of the F5's self IP adjacent at Layer 2 to the firewall.
  2. You configure the wildcard VS to be enabled on the same VLAN as the self IP in point 1. This perhaps isn't strictly necessary but feels like the right thing to do.
  3. Configure the wildcard VS to listen on a specific port. Again, not entirely necessary but if you know the servers will only ever talk out using HTTPS, then why not.