Forum Discussion
Adr_Ant
Nimbostratus
Feb 10, 2020SSL Configuration Using IIS 6
Hello, I need help to protect my website using F5 BIG IP-i2600. My current situation like this: I have 2 domain using 2 different server. I purchase multidomain SSL Certificate for this 2 do...
Aaron, if you are talking about ssl interception then as per my understandings bluecoat can do this job very well and have no idea about the F5 ADC, Although l would say proxySG that it can transparently proxy the https traffic and send its own cert - key to all clients.
For all clients, proxySG will be the destination server and if the destination is allowed then proxy will create new connection to the OCS on behalf of request sent to in-line proxySG. If the requested OCS is not allowed then ProxySG will deny the request. This is how ProxySG breaks the ssl tunnel.
I have no idea yet that F5 LTM can do the same job as I elaborated above for Bluecoat ProxySG. If I am wrong then request you to correct my understandings.
I also request both of you and all of you to help me for the same task which has given to me today that what solution is best for url filtering ,
I know that bluecoat and its BCWF can do this job for me but due to throughput constraints we are not interested to buy bluecoat ProxySG appliances and Load balancers to block very few websites from the traffic of millions of websites.
Thanks
RGK
- Robert_Teller_7Oct 06, 2015Historic F5 Account
You can try enabling the HTTP Profile and then using an iRule to disable HTTP for any request that isn't RFC compliant.
I have attached a snippet that will verify that the first portion of the request contains a string followed by a forward slash.
For an HTTP Request
when CLIENT_ACCEPTED { HTTP::disable TCP::collect 20 } when CLIENT_DATA { scan [TCP::payload] {%s %c} METHOD REQUEST if {$METHOD ne "" && $REQUEST eq "/"} { HTTP::enable } TCP::release }
For an HTTPS Request
when CLIENT_ACCEPTED { HTTP::disable } when CLIENTSSL_CLIENTHELLO { SSL::collect 20} when CLIENTSSL_DATA { scan [SSL::payload] {%s %c} METHOD REQUEST if {$METHOD ne "" && $REQUEST eq "/"} { HTTP::enable } SSL::release }
- Brad_ParkerOct 20, 2015
Cirrus
You can not use an HTTP profile without a ClientSSL profile for HTTPS traffic. Is your virtual server HTTP or HTTPS? If it is HTTPS and you need end-to-end SSL you will also need a ServerSSL profile to re-encrypt.
- Hi Brad That is the way I understand it to work as well, was just asking if anyone was able to get it to work without the http profile. It is a https virtual server, the issue is application related in that it does not allow us to inspect the traffic, thus when I enable the http profile the application doesnt work via the F5.
- Brad_ParkerOct 23, 2015
Cirrus
Enabling the HTTP profile in and of itself will not affect the traffic in any way and is transparent to the application. Do you have SSL profiles enabled? They too should be transparent to the application. How does your application "not work"? There is no way to see or alter the payload of encrypted traffic, that's why HTTPS requires client ssl profiles if you want to see the content.
- Brad_Parker_139Oct 20, 2015
Nacreous
You can not use an HTTP profile without a ClientSSL profile for HTTPS traffic. Is your virtual server HTTP or HTTPS? If it is HTTPS and you need end-to-end SSL you will also need a ServerSSL profile to re-encrypt.
- Hi Brad That is the way I understand it to work as well, was just asking if anyone was able to get it to work without the http profile. It is a https virtual server, the issue is application related in that it does not allow us to inspect the traffic, thus when I enable the http profile the application doesnt work via the F5.
- Brad_Parker_139Oct 23, 2015
Nacreous
Enabling the HTTP profile in and of itself will not affect the traffic in any way and is transparent to the application. Do you have SSL profiles enabled? They too should be transparent to the application. How does your application "not work"? There is no way to see or alter the payload of encrypted traffic, that's why HTTPS requires client ssl profiles if you want to see the content.