cancel
Showing results for 
Search instead for 
Did you mean: 
JRahm
Community Manager
Community Manager

In this episode of Lightboard Lessons, Jason covers a couple deployment options for routing traffic through an IPS tier while maintaining source IPs. The first option compresses the external and internal legs of the air gap solution onto a single BIG-IP (or pair) by using route domains. The second option splits the external/internal requirements onto separate BIG-IPs to allow for isolated vertical security zones.

Resources

 

Comments
Harry1
Nimbostratus
Nimbostratus

Hello Jason.. can you please publish a session for fireeye and f5 integration? also want to understand the difference between both deployment : fireeye+f5 and airgap ssl..

 

JRahm
Community Manager
Community Manager

sure, we could do a FireEye session, we'll add that to the queue. Thanks for the idea.

 

Carlos_Pesset
Nimbostratus
Nimbostratus

Hey Jason,

 

The 1st BigIp(ingress) will have a client_ssl and a server_ssl configured, right?

 

The 2nd big ip will need a server_ssl as well only if a need to reencrypt the traffic?

 

I'm not sure if I get this part. 😞

 

JRahm
Community Manager
Community Manager

1st BIG-IP is offloading and not re-encrypting so the IPS layer can see the traffic, so it would only have a clientssl profile.

 

2nd BIG-IP (if required) would re-encrypt the traffic for delivery to the server, so would only need a serverssl profile.

 

Carlos_Pesset
Nimbostratus
Nimbostratus

Thanks for the answer Jason.

 

I was making a huge confusion between airgap concepts for forwarding ssl intercept traffic and reverse ssl proxy traffic.

 

For forwarding I believe that yes, both client and server_ssl are needed in the ingress(internal) LTM and a a server_ssl for the egress(external) LTM.

 

For reverse proxy is just as you explained: ingress(outside) LTM with client_ssl and egress(internal) with server_ssl.

 

At least this is what I've seen reading some deployment guides. 🙂

 

Version history
Last update:
‎05-Jan-2017 10:04
Updated by:
Contributors