Forum Discussion

Qasim's avatar
Qasim
Icon for Cirrostratus rankCirrostratus
May 30, 2019

SSL Passthrough.

Hi All,

 

I need a little urgent help with SSL passthrough. Basically, I want to know how to achieve SSL pass through? as it stands, its not working.

 

at the moment I have a VS listening on port tcp/443 and pool listening on tcp/18103, I am not using any IRULEs. I have already tried creating client and SSL profiles with SSL pass through enabled but still no use.

 

I will appreciate your help with this.

 

Regards,

  • Seems to me that the option you are reffering to is probably not the one you are looking for - it is suitable when you offload or bridge SSL and the ciphersuite negotiated between the client and server is not supported - then the traffic passes through. Is this your use case? If you want to use SSL Passtrough (meaning no SSL inspection at all) then simply do not attach either client or server SSL profile.

    • Qasim's avatar
      Qasim
      Icon for Cirrostratus rankCirrostratus

      Thanks Res for your swift response. Yes, you are right i just dont want the ltms to decrypt the traffic.

      I tried it without the ssl profiles first, it didn't work so that's why tried the ssl profiles.

      ​is there anything I need to do on http profile?

      Thanks ​

      • Qasim's avatar
        Qasim
        Icon for Cirrostratus rankCirrostratus

        Sorry forgot to mention that I am using SNAT, that cant be causing any problem is it?​

  • What kind of VS are you configuring? Standard? Forwarding? Attaching a http profile to Standard VS essentially makes it L7 VS (and makes traffic flow a little bit different then without http profile). Start with basic troubleshooting like verifying connectivity serverside using telnet/curl/nc (or whatever would work on your destination port/service you are loadbalancing to). SNAT is required when you would deal with assymetric routing - are you using SNAT pool or automap to float/non-float address?

    • Qasim's avatar
      Qasim
      Icon for Cirrostratus rankCirrostratus

      Hi Res,

      I​ am using standard VS with http profile and yes, I am using SNAT pool. I can connect to the nodes in the pool using curl and telnet.

      Do you think I should be using ​performance L4 type VS  instead?

      Regards

      • xRes's avatar
        xRes
        Icon for Cirrus rankCirrus

        I would start with setting client side http profile to none (to force your VS to establish TCP connection with serverside without waiting for client data) and setting the SNAT to automap (to exclude any problems with your SNAT pool).