Technical Forum
Ask questions. Discover Answers.
Showing results for 
Search instead for 
Did you mean: 

How To Proxy / Tunnel External URLs Through F5



I'm looking to essentially tunnel web requests for a select few external URLs through an F5, and I'm having trouble getting it working.

I've created a FQDN node, for an external domain which I do not own, let's say  This node auto-populates it's configuration with external IPs returned from a DNS query of

I then attached that FQDN node to a new pool, then created a new virtual server with the pool attached.

I then created an internal DNS record to point to the new VIP of the virtual server.  Let's say that record is

I then created an irule, upon HTTP_REQUEST to re-write the host header from, to  I also created an irule upon HTTP_RESPONSE, to re-write the location header from, back to


When I try to connect to (the VS VIP), the connection is refused, and never gets forwarded to the FQDN node members (

Am I missing something in this config?   It seems like it should be pretty straight forward to tunnel / proxy connections for a specfic external domain through an F5, and have that external domain see the source IP of the request as the Big IP, but it seems to be a bit more difficult than anticipated.


F5 Employee
F5 Employee

Is there TLS involved here? Is the internal VIP supposed be encrypted and have a client SSL profile? Is the external site encrypted?

Hi Kevin,

Yes, the external site is encrypted, as well as the connection to the internal VIP. 

I have a certificate associated with the client SSL profile which matches the DNS name pointing to the VIP, as well as the server SSL profile set to use serverssl, which I think just leverages the server's certificate when brokering the connection?


Try taking off the client and server SSL profiles. A browser wil through an error because of the cert mismatch, so you'll probably want to test with Curl. If you can get to the site this way, then there's likely an issue in the server side SSL handshake.

If you still can't get to the site, check that traffic is leaving the BIG-IP to the intended destination. YOu can also try to Curl directly from the BIG-IP to see if the box can even get there.


Are you using SNAT? what type?



You configure a virtual server to process web traffic coming in on the HTTP tunnel from the explicit forward-proxy virtual server.


Good morning,

You configure a virtual server to process web traffic coming in on the HTTP tunnel from the explicit forward-proxy virtual server.

Burger King Survey