Forum Discussion
Jan_Rockstedt_4
Nimbostratus
NimbostratusVS for ssl pass-thru
Hi,
I have setup a standard VS for ssl pass-thru on port 443, but I see that there is not much I can enable to get this to work. No http profile, no oneconnected, no cert ...
Is there a better VS type to use instead for standard, that is better for this kind of encrypted traffic?
Jan
4 Replies
- nitass
Employee
what about performance L4?
sol12015: Configuration requirements for SSL virtual servers, profiles, pools, and monitors (Virtual servers capable of performing SSL passthrough section)
http://support.f5.com/kb/en-us/solutions/public/12000/000/sol12015 - Kevin_StewartIf by "SSL pass-thru" that you don't want to decrypt and re-encrypt, then a standard, performance L4, or most of the other virtual server types will work. You must not apply any profiles that would try to act on unencrypted (L7) data, so no HTTP profile. You can still apply profiles that act on L4 data though, so SNAT is okay. Simply create a standard (or Perf L4) virtual server and do NOTHING but assign the destination IP and port and the pool of 443 servers, this will allow SSL pass-thru.
HamishCirrocumulus
If you do want to do more L7 stuff, you ned to create and add an SSL client profile (faces the clients) and an SSL Server profile (RUns between the BigIP and the servers). Then you have access to the unencrypted stream that will let you add http profiles, streams etc and act o the unencrypted data.
H
Jan_Rockstedt_4Thank you all.
I will try the L4 VS, the only we need is to have are snat, vlan and persistence profile for the SSL pass-throu as the application needs to have a uniq client cert on every clients.
Jan
