Forum Discussion

shaikhzaid's avatar
shaikhzaid
Icon for Altocumulus rankAltocumulus
Jan 03, 2023

virtual server config

hey guys, i have a requirement wherein the url https://xyz.com:9999 will be accessed over the internet. Now once the NATing is done by the firewall, the traffic will be passed to virtual server (1....
application delivery
  • CA_Valli's avatar
    CA_Valli
    Jan 03, 2023

    Well, this is up to you. 
    Per my experience, some customers prefer to offload the SSL decryption task to the F5 unit, so that they don't have to perform additional decriptyon on the backend server farm, saving resources. This is usually also allows more agile administration, because you'll only need to renew the certificates on one appliance (BIG-IP) instead of every server. 
    Other customers prefer to perform SSL encryption in the backend as well because they prioritize information security across the whole network. 

    You might want to discuss this with your engineering team, and if your servers require the SSL handshake to be performed, you'll need a serverSSL profile. 

CA_Valli's avatar
CA_Valli
Icon for MVP rankMVP
Jan 03, 2023

If the client requests the URL specifying a destination port, which is :9999 syntax, your network equipment should be configured to accept connections to that port.

You say there's a firewall that performs NAT translation, so I'd guess this is the first access block. Does it translate port from 9999 to 443 as well? (I'm assuming this since you say VS is configured for port 443)

If it doesn't, you need to have a Virtual Server configured with destination port 9999 (again, since this is specified in cliet request) and with tcp, http, and clientSSL/serverSSL profiles. 

BIG-IP is a default deny device, so any client request that does not meet this criteria (= there's not a listener configured) will be rejected. 

F5 keeps client- and server- connections separate, so if you need to change port before going to the backend server you can do it. Pool configuration should match the port configured in your server farm to listen for this connection / to serve this application. 

  • shaikhzaid's avatar
    shaikhzaid
    Icon for Altocumulus rankAltocumulus
    Jan 03, 2023

    Thank you guys for the swift response.

    I have configured the firewall to translate only the public ip to VIP on F5. 

    On the virtual server config, it is listening on port 443, and the pool called-in this VS is pool with port 9999.

    Also both client and server ssl profiles are applied.

    on the firewall am getting TCP reset from server.

    • CA_Valli's avatar
      CA_Valli
      Icon for MVP rankMVP
      Jan 03, 2023

      Ok, based on this information I'm expecting the reset to be on port 9999, and this is because port 9999 does not match your virtual server socket. 

      Virtual Server should match the port specified in client connection, so you need to change it to listen on port 9999.

      • shaikhzaid's avatar
        shaikhzaid
        Icon for Altocumulus rankAltocumulus
        Jan 03, 2023

        Thanks guys again.

        I understand the VS port need to be updated with 9999 instead of 443.

        But, i am wondering, since the client will be requesting the url with https ahead, then why we need to make the virtual server port to 9999 which is url port extension.?

        Apologies, but am a bit new to F5.