F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Techgeeeg_28888's avatar
Techgeeeg_28888
Icon for Nimbostratus rankNimbostratus
Dec 09, 2013

SSL Offloading

Hi Everyone, I have a small question I have a web server with SSL termination on it. Now when I try to create the VS on LTM on port 443 it dosent work, I want to forward the connection from VS to the pool members on the Server directly and let the SSL offloading happen on the Server itself. Is it must that I have to upload the SSL certificate on LTM and attach the certificate to the VS both on client and server side? or I can just forward the connection to the servers is that possible??

 

Regards

 

2 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Dec 10, 2013

    You can do it one of two ways:

     

    1. You can simply pass the 443 SSL traffic through the box - remove an client or server SSL profiles, set the VIP to listen on port 443, send to a pool of servers listening on port 443, and remove any layer 7 profiles from the VIP (ie. HTTP).

       

    2. You can terminate and re-encrypt the SSL on the LTM. This will require a client AND server SSL profile. The great things about this options are 1) you can see inside the payload and make decisions, like persistence and request routing, and 2) you'll generally get much higher throughput if you let hardware offload the SSL. Granted that's mostly negated when you re-encrypt, but then there's a good argument for not re-encrypting, or at least re-encrypting at a lower cipher strength.