For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Paul_Visser_193's avatar
Paul_Visser_193
Icon for Nimbostratus rankNimbostratus
Jun 23, 2016

ssl onloading to more/different endpoints

I have a vip configured on port80 (http) and acts as a transparent proxy for internal servers that must access inside and outside servers based on url and http/s (80/443/8443 etc). I use an iRule to resolve the ip address, check whether it is an internal host or external via datagroup-list and if ssl onloading has to be done. If external then use serverside ssl. Thats where I have a problem, connecting a host on port 443 results in no connection, when connecting to the same host on port 80 I get a connection. What are the guidelines to set up a vip like this?

 

LTM
Secure Web Gateway
security

1 Reply

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jun 23, 2016

    I'd start with a capture on the server side to see what's going on. Assuming you're applying a server SSL profile and going to the site on its required port (443), then in the capture you should see the TCP 3-way handshake, and SSL handshake, and eventually encrypted data. Depending on the server it may require different cipher settings or an SNI (server name indication) in the handshake. If you can determine that it's failing after the TCP handshake, fire up an SSLDUMP and look inside the handshake:

    ssldump -AdNn -i [external VLAN name or interface] port 443 [and any additional filters]

    You'll be able to see inside the SSL handshake and when and where it's failing.