Forum Discussion

Akash_549's avatar
Akash_549
Icon for Nimbostratus rankNimbostratus
Jul 26, 2012

SSL passthrough

Hello, I want to load balance (least connection) SSL traffic terminating straight on the server. I was looking into something called 'SSL-passthrough' but can not understand how it will exactly carry packets. Is this even possible? If yes, can anyone provide configuration please?
app sec
BIG-IP Access Policy Manager (APM)
security
  • santosh_81454's avatar
    santosh_81454
    Icon for Nimbostratus rankNimbostratus
    Nov 05, 2012
    Hi Akash,

     

     

    yes. create a performance L4 type VS and load balance SSL connection without certificate on the F5. The SSL termination will have to be handled by the servers.

     

     

    - Santosh.
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Nov 05, 2012
    Santosh is correct. The 'passthrough' just refers to the fact the SSL is passed through the device to the servers, not terminated on the F5. Note that this means you cannot apply iRules, compression and a host of other features and you also lose some flexibility with persistence. In my experience, it's normally worth the time to terminate on the F5 and re-encrypt to the server (if it must be SSL end to end) so you get all of the benefits of LTM but maintain your security.
  • Mike_Maher's avatar
    Mike_Maher
    Icon for Nimbostratus rankNimbostratus
    Nov 05, 2012
    I don't think you want SSL passthrough, my understanding of that is to be able to pass the ssl handshake down to the web servers, but still maintain decryption at the Big-IP for purposes of inspection like with ASM.

     

     

    I think Santosh has the right idea here.