Forum Discussion

irbk's avatar
irbk
Icon for Cirrus rankCirrus
Sep 28, 2023

SSL issues with new setup

We are doing our actual implmentation of the F5 BigIP LTM VM version 17.1.03 (build 0.0.4).  It's a little bit complcated because we are trying to load balance an application (Microsoft Dynamics Navi...
application delivery
LTM
ssl
irbk's avatar
irbk
Icon for Cirrus rankCirrus
Sep 28, 2023

ltm virtual BigIP_443 {
creation-time 2023-09-26:15:10:23
destination <VS IP>:https
ip-protocol tcp
last-modified-time 2023-09-28:09:52:29
mask 255.255.255.255
persist {
source_addr {
default yes
}
}
pool Nav_Pool_443
profiles {
LC-http { }
LC-oneconnect { }
LC-tcp-lan { }
Modified_Wildcard {
context clientside
}
Modified_serverssl {
context serverside
}
analytics { }
tcp-analytics { }
}
serverssl-use-sni disabled
source 0.0.0.0/0
source-address-translation {
pool BigIP-Nav
type snat
}
translate-address enabled
translate-port enabled
vs-index 3
}

The above was just a configuration I was playing around trying to get something like just SSL Passthrough to work.  I think the end goal is the SSL Bridging because you get better traffic analysis and load balancing or something like that.  
This is what the profile was before I started just trying stuff this am.

ltm virtual BigIP-Nav_443 {
creation-time 2023-09-26:15:10:23
destination <VS IP>:https
ip-protocol tcp
last-modified-time 2023-09-28:11:01:52
mask 255.255.255.255
persist {
source_addr {
default yes
}
}
pool Nav_Pool_443
profiles {
LC-http { }
LC-oneconnect { }
LC-tcp-lan { }
Wildcard23-24 {
context clientside
}
analytics { }
tcp-analytics { }
}
serverssl-use-sni disabled
source 0.0.0.0/0
source-address-translation {
pool BigIP-Nav
type snat
}
translate-address enabled
translate-port enabled
vs-index 3
}

Here is the SSL profile

ltm profile client-ssl Wildcard23-24 {
app-service none
cert-key-chain {
WildCard23-24_0 {
cert WildCard23-24
key WildCard23-24
passphrase <encrypted>
}
}
defaults-from clientssl
inherit-ca-certkeychain true
inherit-certkeychain false
log-ssl-c3d-events debug
log-ssl-client-authentication-events debug
log-ssl-forward-proxy-events debug
log-ssl-handshake-events debug
}

And here is the pool

ltm pool Nav_Pool_443 {
load-balancing-mode predictive-member
members {
Nav01:https {
address <IP>
session monitor-enabled
state up
}
Nav02:https {
address <IP>
session monitor-enabled
state up
}
}
monitor https
}

Thanks again!

  • Paulius's avatar
    Paulius
    Icon for MVP rankMVP
    Sep 28, 2023

    irbk Based on the second virtual server configuration, I see that you are passing decrypted traffic to the servers on 443. Did you configure the servers to receive decrypted traffic on 443 because by default they should not allow that? Now SSL bridging is nice but not necessary and completely depends on your security stance and capabilities of the receiving pool members and if they can perform all application functions over HTTP and not HTTPS. If it's not required I would stick with SSL termination at the F5 and passing decrypted traffic to the servers.

    • irbk's avatar
      irbk
      Icon for Cirrus rankCirrus
      Sep 28, 2023

      No, that shouldn't be right.  The servers have to have encrypted traffic, they aren't configured to recive it otherwise.  What setting requres changing?

      Actually, the servers arn't even going to be receiving on 443 in the end, this is just how I'm testing to get the certificate issue squared away but the servers do need to recieve encrypted traffic so either the BigIP needs to do a passthrough or we need to setup the SSL Bridging (which I believe is the prefered option for several reasons).

      • Paulius's avatar
        Paulius
        Icon for MVP rankMVP
        Sep 28, 2023

        irbk So I think we need to sort a few configuration options first.
        1. SSL Termination on F5
            F5 terminations SSL using the SSL Client profile and then passes decrypted HTTPS traffic to the server on an alternate port such as 80 or 8080 so that you or the application can tell the difference between traffic that was HTTP traffic and which was HTTPS. So 443(F5) -> 8080(Pool member)
        2. SSL Bridging
            F5 terminates SSL using the SSL Client profile, performs varios tasks now that the traffic is decrypted, then finally uses the SSL Server profile to encrypt traffic and pass it back to the pool member on 443 or an alternate port such as 8443.
        3. SSL Passthrough
            F5 performs zero SSL tasks and passes the traffic directly to the server to decrypt and encrypt

        If you are having an SSL issue it could be directly related to the server not being configured to receive that decrypted traffic since you are only using an SSL client profile or possibly an SSL cert on the server that is rejecting the requests.