For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Chris_Phillips's avatar
Chris_Phillips
Icon for Nimbostratus rankNimbostratus
Aug 14, 2012

SSL offload headers for ASM

Hi,     Is there a way for an ASM box sitting behind an LTM box to know that SSL has been terminated on LTM? We add in similar headers for Weblogic which is behind ASM, but found that the allowe...
app sec
BIG-IP Access Policy Manager (APM)
security
jwham20's avatar
jwham20
Icon for Nimbostratus rankNimbostratus
Aug 14, 2012
Chris,

 

 

Hmm, so the ASM of course needs the traffic to be decrypted before it can really do much for it (hence the asm policies being for http).

 

 

In a single unit, dual module configuration, typically you just see an LTM virtual with a ssl profile on it, and an ASM enabled HTTP class attached to it. This allows the LTM to do the ssl decrypt and the ASM module to do it's dark magic. You can even throw on a server side SSL profile if you want to re-encrypt.

 

 

In the dual box environment, question:

 

 

are you re-encrypting between the LTM unit and ASM unit? If so, then you should just be able to decrypt on the ASM unit Virtual server profile, and let the ASM do it's thing.

 

 

Sorry for the scattergun answer, I may have misread the question (and there is probably about 10,000 different right answers.

 

 

Josh M