Forum Discussion
vedranr_225213
Nimbostratus
NimbostratusX-Forward without a http profile?
I have a VIP that does SSL pass-trough (F5 doesn't offload any SSL_, so I can't use a http profile but I would like to have X-Froward enabled.
Is there a way to accomplish that?
Thx,
V...
Simon_Blakely
Employee
EmployeeWhile @JTI is correct, there is an option if you can install the server certificate and key on the LTM and are willing to set the server to only accept RSA ciphers.
Proxy SSL allows the LTM to inspect and modify SSL traffic with a HTTP profile, while still maintaining SSL negotiation passthrough for Client Certificate Authentication directly with the server.
However, the LTM must have the server certificate and key installed, and only RSA ciphers are permitted. You can either reject non-RSA ciphers, or non-RSA will pass-through without inspection/modification.
Proxy SSL supports only the RSA key exchange. For proper functioning, the client and server must not negotiate key exchanges or cipher suites that Proxy SSL does not support, such as the Diffie-Hellman (DH) and Ephemeral Diffie-Hellman (DHE) key exchanges, and the Elliptic Curve Cryptography (ECC) cipher suite. To avoid this issue, you can either configure the client so that the ClientHello packet does not include DH, DHE, or ECC; or configure the server to not accept DH, DHE, or ECC.