Forum Discussion
Fletcher_Cocquy
Nimbostratus
NimbostratusSSL Proxy Juniper SSL VPN
Hi, we are not ready to expose our Juniper SSL VPN externally, so I was asked to test the BigIP's capability (its already exposed externally) to proxy SSL to it.
I setup the external HTTPS virtual server, and mapped to the pool of one consisting of the Juniper SSL VPN's IP port 443 (note this is different than our normal case where we want to offload the SSL - here we want to pass on the HTTPS)
Anyway, the Juniper is denying the requests from the BigIP with messages:
SSL negotiation failed while client at source IP 'xx.yy.104.107' was trying to connect to 'aa.bb.70.132'. Reason: 'http request'"
which does not make sense to us since the request is coming on port 443 from the BigIP.
Is there a setting I'm forgetting in the BigIP to make this SSL==>SSL proxy work?
thanks
Fletcher_CocquyHi, thanks for the reply
when I add our standard SSL redirect iRule:
when HTTP_REQUEST {
HTTP::redirect https://[HTTP::host][HTTP::uri]
}
I get an error: "the server is redirecting the request for this address in a way that will never complete"
When I try IP or layer 2 forwarding I get the error from the bigIP: node must be directly connected to the BigIP - its not - it routes one hop
Puzzling why the Juniper thinks HTTP requests are being made...BigIP should be passing HTTPS only
Not sure we will be able to front the Juniper SSL VPN with the BigIP...
thanks
Ryan77777Altocumulus
I'm having similar issues. I'm going to try the layer-2 approach though since it's on the same network. Did you ever get the layer-3 profile working? Would be curious to know what the solution was.
Krzysztof_KozloWe specifically had issues with the LTM doing SSL termination and re-encryption in front of the Juniper SA-series SSL VPN appliance (formerly known as Neoteris IVE) on version 9.4.8.
It would intermittently fail to negotiate as a client of the Juniper. I forgot exactly what we came up with as the root cause, but it was on the Juniper side of the SSL negotiation.