Forum Discussion
Leon_85602
Nimbostratus
NimbostratusSSL in backend servers does not support cookie persistence?
I have three IIS servers behind the F5. SSL function is not offloaded to F5. I have enabled certificates on the IIS servers to encrypt the connection.
If I choose "none" for my http profile in the virtual server, it will work. Clients can successfully connect to the server via SSL. However, if I choose the default "http" profile. The SSL connection will fail. The problem is cookie persistence can only be chosen when i choose "http" profile. Is there any particular option in the "http" profile forbidden the SSL connection or do i have to use SSL persistence in this circumstances?
Thanks!
2 Replies
- Kevin_Stewart
Employee
Cookie persistence requires an HTTP profile.
In fact, if you aren't terminating SSL on the BigIP, your persistence options become very limiting. You have source and destination address and SSL session ID. Destination doesn't really make sense unless combined with other values, and source address can change if clients (or your servers) are behind NATs. SSL session ID is also difficult to persist off of because browsers will renegotiate SSL at their will.
Kevin 
L4L7_53191Skyout: think of it this way - if you're terminating SSL on the servers, the BigIP has no visibility above layer 4 (basic TCP level stuff). Cookies and such are up at layer 7, and an HTTP profile applied to a virtual server essentially tells the BigIP "this is a layer 7 virtual server". This is why you're not working correctly.
To accomplish what you want, use a client ssl profile and re-encrypt back (via a server ssl profile) to your IIS systems. This way you'll have full visibility and can do what you need to do.
-Matt
