using client & server ssl profiles on a VIP

Hi Chandu,

to enable your clients to access the Virtual Server using SSL you have to assign a Client-SSL-Profile. To forward the traffic to your Backend-Systems via SSL you have to assign Server-SSL-Profilesis.

If this configuration is causing troubles, you may check:

1. If the underlying TCP connection is getting sucessful established (e.g. missing SNAT configuration?)
2. If the SSL negotiation having some problems (see increase SSL loglevel and then keep an eye on the LTM event-log).
3. You may also switch temporary to the "secure-incompatible" profiles, to check if certain SSL security settings are causing trouble.

Cheers, Kai

Testing this solution with Google may actually present a few anomalies. For example, depending on the browser you're using, Google generally employs certificate pinning (Chrome especially, but I believe Firefox now pins Google URLs). Essentially, the browser comes hard-codes with a list of issuer certificates. If you attempt to navigate to Google through a proxy that sends you a different certificate, the browser will deny that request. Google also employs HTTP Strict Transport Security (HSTS), which a) forces the browser to use SSL for the specified domain (and potentially all subdomains), and b) forces the browser to fail if the certificate can't be trusted. You're sending a self-signed certificate to the client, so I'm guessing at least HSTS is an issue here, if not both HSTS and pinning.

If you try this with other (non Google) URLs and it still fails, then I'd probably look more closely at TCP and SSL attributes on the server side of the proxy.