Terminating SSL on F5.

1. Not painful at all. You'd need a virtual server listening on port 443, and then assign an SSL profile to it which referenced the certificate and key.

 

 

 

2. SSL is offloaded to hardware on the F5, which means that it's a whole lot faster. Plus, all the certs and keys are in one place which is a lot easier to manage.

 

 

3. To terminate SSL between the LTM and the browser, you need the serverssl profile. Use the clientssl profile if you want to renegotiate SSL between the LTM and the webserver.

 

 

4. They can be imported. If your webserver can export a PKCS certficate, this SOL:

 

 

https://support.f5.com/kb/en-us/solutions/public/2000/300/sol2323a.html

 

 

...walks you through the PEM conversion process.

 

 

Hope this helps,

 

 

JQ

Oh, and regarding point 2, the other advantage is that if you are doing SSL offload, you can then use Layer 7 iRules and cookie persistence and other fun Layer 7 stuff. If you are passing SSL connections through the LTM to the webservers without doing offload, you can't "see" into the encrypted packets and thus you are restricted to Layer 4 iRules and source IP persistence.

 

 

Denny

Yeah. Reversed. I always do that. Sorry for any confusion. :|

jquinby and Denny,

 

 

Thanks for all your replies. I appreciate the feedback on this.

 

 

It now sounds like something I may need to consider implementing. Key points being centralization and additional persistence options.

 

 

Thanks.

 

 

-Ryan

For having server-side SSL profile we do need a certificate installed on the web server right?

 

It'd be difficult to even enable SSL in any given application without also applying a certificate and corresponding private key. So yes, you do need a certificate (and private key) on the web server.