Forum Discussion

Ray_Rakib's avatar
Ray_Rakib
Icon for Nimbostratus rankNimbostratus
Sep 25, 2019

HTTP Header Insertion using LTM

 

Hi All,

 

I have created an iRule to do HTTP header insertion, as I need to do this to restrict tenant access to Ms Office 365 for our internal users.

 

My understanding is that I need to setup VS as a forwarding proxy so that F5 can decrypt the SSL traffic going out, do the HTTP header insertion ( with the iRule attached to the VS) then encrypt the packet and forward it onto the destination.

 

 

I have created a Client SSL profile with a certificate signed by my internal CA and set it to "SSL Forward Proxy". I have also created a Server SSL profile and set it to "SSL Forward Proxy" (no certificate attached to the server SSL profile)

 

I have attached the client/server profiles to my VS.

 

However my internal clients cannot surf the internet. They get error "Connection closed"

 

 

What am I doing wrong?

 

I am stuck. Any help would me much appreciated

 

 

application delivery
BIG-IP
LTM

2 Replies

Sort By
  • Dan_Bowman's avatar
    Dan_Bowman
    Icon for Cirrus rankCirrus
    Sep 25, 2019

    Try the config you have, but remove the SSL Forward Proxy option - I don't believe it's required in your use case? You should be able to SSL decrypt/add headers/re-encrypt outbound without it.

  • Ray_Rakib's avatar
    Ray_Rakib
    Icon for Nimbostratus rankNimbostratus
    Sep 25, 2019

    Hi Dan

     

    I tried your suggestion and disabled the SSL Forward Proxy option on the client & server SSL profiles. Now client PCs can connect to internet sites such as BBC, however they get "Not Secure" certificate warning on their browser.

     

    When you check the properties of the certificate warning on the browser. The Certificate Path shows my Internal CA server cert, then the cert that resides on the F5 LTM (which was signed by my CA server). I think I should see a third cert in the chain (third cert being that of the destination server i.e BBC)?

     

    Any further suggestions?