ssl pasthrough

if you want to be able to analyze/modify HTTP, use a standard one. If it's purely at the tcp level, you can use performance layer 4 (standard would work too but do not use the optimization layer 4 chips that your hardware BIG-IP might have)

Hi abi1980,

for end-to-end SSL-communication it would be a virtual server in mode "Standard" or "PerformanceL4".

In this case no clientssl or serverssl profiles will be assigned (not possible anyway in PerformanceL4 mode).

In case you want to intercept traffic it will be necessary to run the virtual server in mode "Standard" with a clientssl and serverssl profile.

The clientssl profile needs to be customized to contain the expected server certificate and related private key and the intermediate certificate (chain). Please note, that the clientssl profile is used to terminate on the clientside and the serverssl profile is used to re-encrypt between BIG-IP and the selected poolmember.

In case you intercept SSL this way, client certificates cannot be passed through to the real server.

With TMOS v11 there is an additional option allowing end-to-end SSL-communication between client and real server including inspection on the BIG-IP. Please see SOL13385 for details.

Thanks, Stephan

just in case you have not seen it.

sol12015: Configuration requirements for SSL virtual servers, profiles, pools, and monitors