Forum Discussion
Lazar_92526
Nimbostratus
NimbostratusSSL packet and the effects of using SSL Bridging
All,
I'm trying to understand what are the effects on a TCP packet when SSL bridging is performed on it utilizing an LTM. If the SSL is decrypted and then re-encrypted to a backend server, what are the effects on that packet? Specifically I am trying to understand how Microsoft UAG (Unified Access Gateway) may handle or perceive that packet once it is passed to it from the F5 LTM. We are running 11.3
Any guidence or technical references would bea great help!
4 Replies
- Kevin_Stewart
Employee
I may be missing your intent, but generally speaking LTM is a full proxy at layer 4, so the TCP packet on the client side is not the same TCP packet that reaches the server on the other side. They are completely separate (and somewhat independent) connections. Equally, if you are decrypting and re-encrypting, the SSL session on the client side is separate from the SSL session on the server side. 
Lazar_92526That is my understanding as well. I'm wondering if there is any thing we may need to consider regarding that then passing to Microsoft's UAG since the F5 is unencrypting and re-encrytping the packet. I'm investigating doing a SSL re-encryption, which is contrary to the design that is currently being looked at. Right now, the design consideration is to do SSL passthrough all the way to UAG, and that would limit our ability to inspect and know what is going on from a security packet inspection- Kevin_StewartThe TCP packet itself should have no bearing on the UAG server, however the SSL may, depending on what you need the SSL for. The big question, IMO, is what are you doing with UAG that requires re-encrypting the traffic? Is it for client certificate authentication?
There are a few options:
1. SSL pass through - it gets the job done, but as you point out, limits your visibility and also limits your ability to persist on the connections.
2. ProxySSL - this would allow you to do an SSL man-in-the-middle - SSL negotiation between the client and server with visibility inside the payload.
3. Question the reason for UAG in the first place. Assuming you're using it for authentication, consider what APM can provide (as in nearly identical functionality, but faster). - Lazar_92526We are considering APM, but needed to wait for the SAML support that came in with 11.3. Now there is a design in implementation with UAG as a reverse proxy for SharePoint. So now we are up in 11.3, and I'm trying to see what we can do to position APM. I have a virtual appliance I am setting up in parellel to our production design to prove what APM could do, but also have to consider tha tUAG may not be able to get replaced at this point. Just trying to get the best visibility in the traffic.
