Forum Discussion

Nfordhk_66801's avatar
Nfordhk_66801
Icon for Nimbostratus rankNimbostratus
Jan 23, 2015

Using ServerSSL Profiles

Hi,   I am interested in using ServerSSL profiles to secure connectivity from the client to the end host but I have some confusions about the process. Right now our setup looks like this:   Two...
application delivery
design
LTM
security
serverssl
ssl
THi's avatar
THi
Icon for Nimbostratus rankNimbostratus
Jan 26, 2015

Passthrough and ASM:

 

For any intelligent use of ASM, you need to have visibility to Layer 7 traffic on the client requests (and responses).

 

In case of ssl encrypted traffic from the clients, you need to terminate the client ssl connection at the BIG-IP for the ASM to be able to see the Layer 7 traffic - and function as an application level firewall/protection device. You can the re-encrypt the traffic at the server side of the BIG-IP to the servers if required. Return traffic goes just the reverse.

 

If you just do the passthrough without ssl termination at the BIG-IP, the ASM cannot see Layer 7 stuff and you could as well revert to use normal L2-4 firewall instead of the ASM application level firewall.