Currently, we have a requirement to integrate SSLO for user proxy traffic,
What I can understand is that configuring an HTTP proxy service requires all the traffic to be decrypted otherwise traffic will be bypassed from the service chain since it requires the use HTTP header signal across an HTTP proxy device.
Is there any way to achieve this? or simply if the category needs to bypass SSL interception then it cannot be proxied.
Appreciate your thoughts and feedback
@akvzau Sadly I'm not familiar with this process but it should be possible to have an HTTP proxy without performing SSL termination because we currently use one with just the LTM without SSLO and it works for both HTTP and HTTPS traffic. Essentially what happens in this case is you have an HTTP tunnel between yourself and the LTM proxy which you then tunnel HTTPS traffic over and the LTM hands off the SSL negotiation directly to the destination. The following might be of some assistance.
When you have no decryption you need to use layer 2 or layer 3 service and then you can send not decrypted traffic as for http service the SSLO adds a header to track the flow and it can't if it is not decrypting the traffic..
This is the most important distinction between HTTP (proxy) and L3 devices. An L3 device will simply route traffic across its interfaces without manipulating the packet headers. A proxy device, by definition, alters the packets headers. SSL Orchestrator uses the ephemeral packet tuple information to track packets across inline L2 and L3 devices. But as an HTTP proxy device manipulates this information, SSL Orchestrator uses an HTTP header signal across an HTTP proxy device. This signaling mechanism limits an inline HTTP proxy device to unencrypted HTTP traffic.