cancel
Showing results for 
Search instead for 
Did you mean: 

SSL Offloading for BlueCoat explicit proxy

teoiovine
Cirrus
Cirrus

Hello.

 

A client's BlueCoat proxy is falling short on resources. It performs SSL interception so it can inspect the whole packet.

 

Given this, they've asked if and how to configure the F5 so it offloads the SSL, thus having the client part of the proxied connection in plain text (from the proxy's POV).

 

The scenario looks something like this:

 

Client --- -->[F5]------>[BC]----->[F5]------>Internet

 

(The BlueCoat speaking HTTPS with servers is not resource intensive).

 

I have struggled with the SSL intercept iApp, and SSL orchestrator. With SSLO, navigation works, however it seems to not be offloading SSL.

 

Anything is helpful. Thanks!

 

1 REPLY 1

AMiles_377865
Cirrocumulus
Cirrocumulus

Hello Teo,

 

From what I understand, I don't think you need to worry about SSL orchestrator or SSLO.

 

I'm pretty sure you can achieve this flow:

 

Client --- -->[F5]------>[BC]----->[F5]---->Internet

by applying a client-side SSL profile and by not applying a server-side SSL profile. In essence, clients would connect to the Big-IP, where the client side certificate would be used for https. Then, BIG-IP would decrypt it, sending traffic on to the Bluecoat proxy. BlueCoat inspects the client traffic, and either allows/denies it. It sends the traffic back through the BIG-IP, where it is re-encrypted and sent, not back to the client, but to whatever the client was trying to access.

 

From what I understand of BlueCoat, the client access the internet through the BlueCoat Proxy. To place a Big-IP in front of BlueCoat, you would configure a virtual server with Bluecoat as one of it's pool members. Instead of the BlueCoat proxy address, client's would enter the IP address of the virtual server.

 

The only area of the configuration I'm unsure of is sending the traffic outbound instead of back to the client, which runs against auto-last hop, which directs traffic back to its source (in this case the client). This might depend a little on how BlueCoat works, which I admittedly don't know much about. Truthfully, if the BlueCoat proxy is being overwhelmed, it might be a better solution to upgrade your BlueCoat.

 

Feel free to ask if you have any follow-up questions,

 

Austin