Forum Discussion

Raja_M's avatar
Raja_M
Icon for Nimbostratus rankNimbostratus
May 24, 2018

SSL Offloading on F5 LTM

We have 2 VIP 1. VIP is on port 5555 and pool members also in service port. 2. VIP is on Port 5443 and Pool members in 5555.

 

They want to do ssl offload on the VIP will it work???

 

application delivery
BIG-IP
  • Steve_Lyons's avatar
    Steve_Lyons
    Ret. Employee
    May 24, 2018

    I personally don't see why not as I have a lot of customers using non standard ports for their web applications. I am curious as to why you wouldn't want to define a standard port on the virtual server as either users will need to manually define :5555 or you will need to create an iRule to redirect all requests to port 5555. As for the server side, the BIG-IP will perform any translation required to the service port of the pool members. At this point the BIG-IP is the client using ephemeral ports connecting to a static port on your web server. As long as the web server itself is listening on 5555 you should be fine. What are some of your concerns?

     

    • Raja_M's avatar
      Raja_M
      Icon for Nimbostratus rankNimbostratus
      May 24, 2018

      MY concern is if we add SSL certificate on non standard port VIP 5555 will SSL offloading work or not???

       

    • Steve_Lyons's avatar
      Steve_Lyons
      Ret. Employee
      May 24, 2018

      Yes, this will work. The virtual server will listen on the non standard port with a client SSL profile assigned. If you want to do true offloading with just HTTP to the web server then do NOT assign a server ssl profile. If you wanted to do bridging then simply assign a Server SSL profile to the virtual server.

       

  • Steve_Lyons_236's avatar
    Steve_Lyons_236
    Historic F5 Account
    May 24, 2018

    I personally don't see why not as I have a lot of customers using non standard ports for their web applications. I am curious as to why you wouldn't want to define a standard port on the virtual server as either users will need to manually define :5555 or you will need to create an iRule to redirect all requests to port 5555. As for the server side, the BIG-IP will perform any translation required to the service port of the pool members. At this point the BIG-IP is the client using ephemeral ports connecting to a static port on your web server. As long as the web server itself is listening on 5555 you should be fine. What are some of your concerns?

     

    • Raja_M's avatar
      Raja_M
      Icon for Nimbostratus rankNimbostratus
      May 24, 2018

      MY concern is if we add SSL certificate on non standard port VIP 5555 will SSL offloading work or not???

       

    • Steve_Lyons_236's avatar
      Steve_Lyons_236
      Historic F5 Account
      May 24, 2018

      Yes, this will work. The virtual server will listen on the non standard port with a client SSL profile assigned. If you want to do true offloading with just HTTP to the web server then do NOT assign a server ssl profile. If you wanted to do bridging then simply assign a Server SSL profile to the virtual server.