Forum Discussion
NimbostratusSSL Offload Re-Write Clear-text TCP Destination Field To Port 80
I want to offload inbound ssl and re-write the cleartext tcp destination field to a new tcp destination port e.g. tcp443 to tcp80. I'm using an F5 LTM product. Does anyone have a sample config?
5 Replies
- nitass
Employee
is it normal ssl offload configuration?
e.g.
[root@ve11a:Active:Changes Pending] config tmsh list ltm virtual bar ltm virtual bar { destination 172.28.20.111:443 ip-protocol tcp mask 255.255.255.255 pool foo profiles { clientssl { context clientside } tcp { } } source 0.0.0.0/0 source-address-translation { type automap } vs-index 23 } [root@ve11a:Active:Changes Pending] config tmsh list ltm pool foo ltm pool foo { members { 200.200.200.101:80 { address 200.200.200.101 } } } [root@ve11a:Active:Changes Pending] config curl -Ik https://172.28.20.111 HTTP/1.1 200 OK Date: Thu, 29 Aug 2013 04:28:31 GMT Server: Apache/2.2.3 (CentOS) Last-Modified: Thu, 23 May 2013 00:28:46 GMT ETag: "4185a8-59-c3efab80" Accept-Ranges: bytes Content-Length: 89 Content-Type: text/html; charset=UTF-8
BeirutJack83_13ok lets assume on inbound traffic i want to use a gigamon device to send a copy of the ssl traffic to an ltm for ssl offload then send the decrypted cleartext to another inspection device to inspect the cleartext http as port 80 per config above, then can i reverse that process and inspect the outbound server traffic by using gigamon to send a copy of the encrypted server return traffic to the ltm to be decrypted and forwarded to the inspection device to inspect the server return traffic?
- nitass_89166
Noctilucent
is it normal ssl offload configuration?
e.g.
[root@ve11a:Active:Changes Pending] config tmsh list ltm virtual bar ltm virtual bar { destination 172.28.20.111:443 ip-protocol tcp mask 255.255.255.255 pool foo profiles { clientssl { context clientside } tcp { } } source 0.0.0.0/0 source-address-translation { type automap } vs-index 23 } [root@ve11a:Active:Changes Pending] config tmsh list ltm pool foo ltm pool foo { members { 200.200.200.101:80 { address 200.200.200.101 } } } [root@ve11a:Active:Changes Pending] config curl -Ik https://172.28.20.111 HTTP/1.1 200 OK Date: Thu, 29 Aug 2013 04:28:31 GMT Server: Apache/2.2.3 (CentOS) Last-Modified: Thu, 23 May 2013 00:28:46 GMT ETag: "4185a8-59-c3efab80" Accept-Ranges: bytes Content-Length: 89 Content-Type: text/html; charset=UTF-8- BeirutJack83_13ok lets assume on inbound traffic i want to use a gigamon device to send a copy of the ssl traffic to an ltm for ssl offload then send the decrypted cleartext to another inspection device to inspect the cleartext http as port 80 per config above, then can i reverse that process and inspect the outbound server traffic by using gigamon to send a copy of the encrypted server return traffic to the ltm to be decrypted and forwarded to the inspection device to inspect the server return traffic?
- nitass
ok lets assume on inbound traffic i want to use a gigamon device to send a copy of the ssl traffic to an ltm for ssl offload then send the decrypted cleartext to another inspection device to inspect the cleartext http as port 80 per config above, then can i reverse that process and inspect the outbound server traffic by using gigamon to send a copy of the encrypted server return traffic to the ltm to be decrypted and forwarded to the inspection device to inspect the server return traffic?
can you do something like this instead?
Divert Unencrypted Traffic through an IPS with Local Traffic Manager by Jason Rahm
https://devcentral.f5.com/articles/divert-unencrypted-traffic-through-an-ips-with-local-traffic-manager
