Forum Discussion
sgnormo
Cirrus
CirrusSSL PROXY
I am looking at the SSL Proxy feature to see how it works and if there is possible benefits. I have gotten it to the point where the traffic is getting through and negotiation is "working". I have...
Hi sgnormo ,
maybe you have missed some configuration for ssl proxy feature , I understood from Pcap snapshot that F5 could not validate destination server certificate to pass it to the client , so as a result of this error in ssl sequance ( Specially regarding to ssl Proxy deployments ) F5 send RST packets to close ssl connection , so I see that F5 Resets the destination server (First RST) and the client as well ( Second RST ).
So , I susbect that , there are missing configuraton regarding ssl proxy or a certificate mismatch between F5 and destination server .
For that reason , Please follow this KB well to configure and build ssl proxy correctly :
https://support.f5.com/csp/article/K13385Also take a look in this Article :
https://support.f5.com/csp/article/K13393
sgnormoCirrus
Cirrusi know about the sslo and it used within another area of the organization, but that would have made it more complicated than what it would have to be for this situation.
Nikoolayy1
MVP
MVPIf you do not need to direct the traffic to other devices after decrypting it then yup as in the backplane SSLO or SWG (SSLO is replacing SWG as SWG now can be a service for SSLO https://community.f5.com/t5/technical-articles/ssl-orchestrator-use-case-swgaas/ta-p/285469 ) also use the SSL proxy as a base feature and you can just review what the SSLO guided config has created as the VS that the traffic first hits to see how to configure the SSL proxy.
Still as a note you even with SSL proxy and LTM use the ICAP if you want to also not only decrypt the traffic 😉