Forum Discussion

Cirrus

Jan 03, 2023

SSL PROXY

I am looking at the SSL Proxy feature to see how it works and if there is possible benefits. I have gotten it to the point where the traffic is getting through and negotiation is "working". I have...

application delivery

cloud

security

Mohamed_Ahmed_Kansoh
Jan 04, 2023
Hi sgnormo ,
maybe you have missed some configuration for ssl proxy feature , I understood from Pcap snapshot that F5 could not validate destination server certificate to pass it to the client , so as a result of this error in ssl sequance ( Specially regarding to ssl Proxy deployments ) F5 send RST packets to close ssl connection , so I see that F5 Resets the destination server (First RST) and the client as well ( Second RST ).

So , I susbect that , there are missing configuraton regarding ssl proxy or a certificate mismatch between F5 and destination server .
For that reason , Please follow this KB well to configure and build ssl proxy correctly :

https://support.f5.com/csp/article/K13385

Also take a look in this Article :

https://support.f5.com/csp/article/K13393

Nikoolayy1

MVP

Jan 06, 2023

The ssl proxy feature is not very useful by itself. Nowadays F5 offers SWG or SSL Orchestrator as options. If you want to send traffic to many external devices like firewalls, IPS, ICAP the SSLO is the better option and it has guided configuration, so that you do not wonder if something was not configured.

sgnormo
Cirrus
Jan 07, 2023
i know about the sslo and it used within another area of the organization, but that would have made it more complicated than what it would have to be for this situation.
- Nikoolayy1
  MVP
  Jan 07, 2023
  If you do not need to direct the traffic to other devices after decrypting it then yup as in the backplane SSLO or SWG (SSLO is replacing SWG as SWG now can be a service for SSLO https://community.f5.com/t5/technical-articles/ssl-orchestrator-use-case-swgaas/ta-p/285469 ) also use the SSL proxy as a base feature and you can just review what the SSLO guided config has created as the VS that the traffic first hits to see how to configure the SSL proxy.
  
  Still as a note you even with SSL proxy and LTM use the ICAP if you want to also not only decrypt the traffic 😉
  
  https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-implementations-13-0-0/9.html

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

SSL PROXY

Recent Discussions

Which process is consuming higher CPU

F5 Health Monitor Receive String as JSON

Background Tasks

SSL bridging without SSL proxy forward

Big-IP VE edition for MacBook M4 Chip

Related Content

Integrating SSL Orchestrator with McAfee Web Gateway-Transparent Proxy

Integrating SSL Orchestrator with Symantec ProxySG: Transparent Proxy

Integrating SSL Orchestrator with CheckPoint Firewall VM-Transparent Proxy

Proxy SSL unavailable suite (47) issue

SSL Orchestrator Advanced Use Cases: Local DNS Proxy Cache

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS