Forum Discussion

abi1980_184094's avatar
abi1980_184094
Icon for Nimbostratus rankNimbostratus
Mar 20, 2015

ssl pasthrough

When configuring a VIP what is the Profile I can use for SSL passthrough   would it be a standard one performance layer4 profile   please help  
StephanManthey's avatar
StephanManthey
Icon for Nacreous rankNacreous
Mar 20, 2015

Hi abi1980,

 

for end-to-end SSL-communication it would be a virtual server in mode "Standard" or "PerformanceL4".

 

In this case no clientssl or serverssl profiles will be assigned (not possible anyway in PerformanceL4 mode).

 

In case you want to intercept traffic it will be necessary to run the virtual server in mode "Standard" with a clientssl and serverssl profile.

 

The clientssl profile needs to be customized to contain the expected server certificate and related private key and the intermediate certificate (chain). Please note, that the clientssl profile is used to terminate on the clientside and the serverssl profile is used to re-encrypt between BIG-IP and the selected poolmember.

 

In case you intercept SSL this way, client certificates cannot be passed through to the real server.

 

With TMOS v11 there is an additional option allowing end-to-end SSL-communication between client and real server including inspection on the BIG-IP. Please see SOL13385 for details.

 

Thanks, Stephan