i have a requirement wherein the url https://xyz.com:9999 will be accessed over the internet.
Now once the NATing is done by the firewall, the traffic will be passed to virtual server (1.1.1.1:443) with client and server ssl profiles applied. Now the question is do i need to apply the pool with server:port (10.10.10.10:9999) under the resource tab of the VS?
Also the virtual server destination port should be 443 or 9999 ?
I am confused here. any help will be appreciated .
Well, this is up to you. Per my experience, some customers prefer to offload the SSL decryption task to the F5 unit, so that they don't have to perform additional decriptyon on the backend server farm, saving resources. This is usually also allows more agile administration, because you'll only need to renew the certificates on one appliance (BIG-IP) instead of every server. Other customers prefer to perform SSL encryption in the backend as well because they prioritize information security across the whole network.
You might want to discuss this with your engineering team, and if your servers require the SSL handshake to be performed, you'll need a serverSSL profile.
First, the virtual server port is usually same port which the client is requesting. For example, if your request is "https://xyz.com:9999" so you can configure the virtual server with the natted IP that the firewall forwards the traffic to and the port is "9999".
Regarding the pool member ports, it depends on what port the server is listening on and expecting to receiving traffic on. as F5 by default is having port translation enabled in the virtual server configuration, so you can either configure the pool member port with 443 or 9999 depending on the server itself.
If the client requests the URL specifying a destination port, which is :9999 syntax, your network equipment should be configured to accept connections to that port.
You say there's a firewall that performs NAT translation, so I'd guess this is the first access block. Does it translate port from 9999 to 443 as well? (I'm assuming this since you say VS is configured for port 443)
If it doesn't, you need to have a Virtual Server configured with destination port 9999 (again, since this is specified in cliet request) and with tcp, http, and clientSSL/serverSSL profiles.
BIG-IP is a default deny device, so any client request that does not meet this criteria (= there's not a listener configured) will be rejected.
F5 keeps client- and server- connections separate, so if you need to change port before going to the backend server you can do it. Pool configuration should match the port configured in your server farm to listen for this connection / to serve this application.
I understand the VS port need to be updated with 9999 instead of 443.
But, i am wondering, since the client will be requesting the url with https ahead, then why we need to make the virtual server port to 9999 which is url port extension.?
The default port for HTTP is 80 and for HTTPS is 443, but port numbers range from 0 to 65535.
HTTP(S) protocol allows you to specify a port number at request time. If you do, like in your case, this port will be used instead of default port to connect to the server.
In this case, F5 is the server. So it must be configured to accept connections to this port, otherwise it won't make sense for the client to specify a port at connection time.
Well, this is up to you. Per my experience, some customers prefer to offload the SSL decryption task to the F5 unit, so that they don't have to perform additional decriptyon on the backend server farm, saving resources. This is usually also allows more agile administration, because you'll only need to renew the certificates on one appliance (BIG-IP) instead of every server. Other customers prefer to perform SSL encryption in the backend as well because they prioritize information security across the whole network.
You might want to discuss this with your engineering team, and if your servers require the SSL handshake to be performed, you'll need a serverSSL profile.
If you are translating the IP only, you should change the virtual server port to the requested port from the client which is "9999" because as Cali mentioned, F5 is a deny by default device. and since there is no virtual server configured with port "9999" the traffic will be denied.
