Technical Forum
Ask questions. Discover Answers.
Showing results for 
Search instead for 
Did you mean: 

Need of SSL Server Profile


HI All, i am new to F5 environment. please help me to get understand/clarify my below doubts.. We have below design and we have configured SSL client and SSL server profile. Could some one explain how the communication happen between f5 and physical server. client -->F5 box --> 2 physical servers 1 ) SSL server profile using the same certificate as configured in SSL Client. 2 ) What are the packets will get exchange when f5 initiate the connection to the physical servers when SSL server profile is configured. 3) F5 will initiate the session key or physical server initiate the session key ? 4) Does real servers really required to install SSL certificates on it. 5) what will happen if i remove the SSL certificate from the physical server ? will traffic get encrypted ?



Legacy Employee
Legacy Employee

You can find a lot of interesting here


F5 Employee
F5 Employee

ClientSSL and serverSSL profiles are quite similar but they are quite different at the same time (hope this makes sense). The important thing to understand is that clientSSL manage the client side of the connection and serverssl the server side, remember big-ip is a full proxy, no matter what client and server connectionas are different.


When you configure clientSSL and set certificate and key, that will be use when the SSL handshake happen between the client and you big-ip. In you serverssl profile this configuration has a different meaning due the server side context, the certificate and key will be use by the big-ip as client in the server side connection hence it will use the certificate to authenticate itself to the server. During the SSL handshake it will present the certificate you have in your profile to the server as a authentication mecanism. Honestly this is not very usual but the option is there.


Give this, you have several options to configure your bigip: SSL offload, SSL bridge, SSL forward, etc.


90% of the times you will use SSL offload or SSL bridge, that's my experience. SSL offliad only requires a clientssl profile, on the server side you configure your pool of web server in the http port and the traffic goes in plain. SSL bridge adds the serverssl profile to get the traffic encrypted again hence you need your pool configure to send traffic to ssl port (and yes you still need a certificate, it can be any as this one is not expose to the client)


Regarding session keys, this is something negotiated between the peers during the SSL handshake, it is not something really initiated on one side.


Hi Daniel,

So, for the client side SSL, I usually get the cert from my customer and create the client side SSL profile. Would the same apply to the server side SSL connection or could I use one of the available server side SSL profiles?