Forum Discussion
Steve_W_85246
Nimbostratus
NimbostratusSSL termination / no SSL termination
So, reading another post here.. In order to terminate SSL, my 443 VIP needs to have an HTTP profile, and a client certificate. Ok.. I understand all that.. I do that currently.
I have a need now for a 443 VIP to not terminate SSL, so my VIP does not have the HTTP profile, and does not have a client certificate attached. I get to my requested pool fine. But here is the problem.. I need to do some HTTP redirection, other HTTP functions as well.. so I need the HTTP profile to be added. When I add the HTTP profile to this VIP, my connection just spins/hangs.. Is it possible to have a non SSL terminating VIP with an HTTP profile and make it work? Or is the kicker adding the HTTP profile - and my SSL is being terminated then?
Cory_50405Noctilucent
In order to have HTTP controls, the BIG-IP needs to be able to see the HTTP traffic. Not possible without stripping off the SSL. The client SSL profile is what terminates the SSL. Assigning the HTTP profile is telling the BIG-IP to treat the traffic as HTTP.
Steve_W_85246Ok.. that makes sense... My 443 VIP is sending traffic to set of Microsoft WAP servers which at this stage can only accept 443 traffic. So adding an HTTP profile will then treat the traffic as HTTP which is what WAP cant take, therefore breaking the process. Well that answers my question.. not what I was hoping for, but it does answer it... Thanks for your quick response.. I appreciate it.
- Cory_50405Is the requirement that your WAP servers terminate the SSL? If so, you can configure and apply both a client and server SSL profile and attach to your virtual server, as well as an HTTP profile and you'll be able to have redirect controls.
Hi Steve, you'll need to use what we call SSL bridging. Apply the clientssl, serverssl, and http profiles to your VIP and BIG-IP will make an encrypted connection to your pool members. You can then do whatever layer 7 stuff you need to with iRules, etc.
Mike
- Steve_W_85246
I tried that this morning during some of my troubleshooting.. I added a wildcard certificate as the client cert, and the default serverssl, and the http profile. It didnt spin as saw with just the http profile, but it still failed to reach the WAP servers.
- Cory_50405
Are the WAP servers doing any kind of authentication for the connecting client? If not, then it may be best to grab a packet capture between the BIG-IP and servers to see what may be happening.
- Steve_W_85246
No the WAPs are acting as another proxy, authentication is done in a following step via ADFS. Ok.. so the consensus is that it should be possible to do this? Its not impossible?
- Cory_50405It should definitely be doable, you'll just need to figure out exactly what is happening when you apply both the client and server SSL and HTTP profiles. That setup should work.
