For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

MK_167350's avatar
MK_167350
Icon for Nimbostratus rankNimbostratus
Aug 20, 2014

SSL offload not working

I have configured VIP with https with back end services port http. When i apply SSL Client profile i dont have any issue and able to access the url. When apply the SSL Server Profile (applied default as serverssl) the url is not working and it says Page cant be displayed. Can you please help me what may be the issue, do we need to do any other settings or do the client has to do any thing on server end? the Server is running with Windows 2012 IIS. Please do the needful ASAP.

 

Just FYI: The goal is client want the traffic between F5 to back end server also need to encrypt. for that I had applied the SSL Server Profile as serverssl

 

application delivery
LTM
management
microsoft

9 Replies

  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    Aug 20, 2014

    Yes, the default serverssl profile should work. 

    I have configured VIP with https with back end services port http

    You will need to configure the backend server to accept secure (443) connections, however.

    Hope this helps.

    N

  • nitass_89166's avatar
    nitass_89166
    Icon for Noctilucent rankNoctilucent
    Aug 20, 2014

    can you post the virtual and pool configuration?

     tmsh list ltm virtual (name)
 tmsh list ltm pool (name)
    • MK_167350's avatar
      MK_167350
      Icon for Nimbostratus rankNimbostratus
      Aug 20, 2014
      Thanks for quick response, Here is the output ltm virtual reporting-qa_https { description "reporting-qa HTTPS VIP" destination 172.24.1.8:https ip-protocol tcp mask 255.255.255.255 persist { reporting_ssl_persist { default yes } } pool reporting_http_Pool2 profiles { reporting-qa { context clientside } http { } serverssl { context serverside } tcp { } } source 0.0.0.0/0 source-address-translation { pool reporting_SNATPool type snat } vs-index 15 } ltm pool reporting_http_Pool2 { load-balancing-mode least-connections-member members { 172.24.1.11:http { address 172.24.1.11 session user-disabled state down } 172.24.1.12:http { address 172.24.1.12 session monitor-enabled state up } } monitor http }
    • nitass_89166's avatar
      nitass_89166
      Icon for Noctilucent rankNoctilucent
      Aug 20, 2014
      as nathan mentioned, pool should be https (because you re-encrypt traffic/serverssl).
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Aug 20, 2014

    can you post the virtual and pool configuration?

     tmsh list ltm virtual (name)
 tmsh list ltm pool (name)
    • MK_167350's avatar
      MK_167350
      Icon for Nimbostratus rankNimbostratus
      Aug 20, 2014
      Thanks for quick response, Here is the output ltm virtual reporting-qa_https { description "reporting-qa HTTPS VIP" destination 172.24.1.8:https ip-protocol tcp mask 255.255.255.255 persist { reporting_ssl_persist { default yes } } pool reporting_http_Pool2 profiles { reporting-qa { context clientside } http { } serverssl { context serverside } tcp { } } source 0.0.0.0/0 source-address-translation { pool reporting_SNATPool type snat } vs-index 15 } ltm pool reporting_http_Pool2 { load-balancing-mode least-connections-member members { 172.24.1.11:http { address 172.24.1.11 session user-disabled state down } 172.24.1.12:http { address 172.24.1.12 session monitor-enabled state up } } monitor http }
    • nitass's avatar
      nitass
      Icon for Employee rankEmployee
      Aug 20, 2014
      as nathan mentioned, pool should be https (because you re-encrypt traffic/serverssl).