I configured two different pools on different ports (80 and 443). both pools have the same virtual server with it VIP. The pool on port 80 was used as a trial for the project while the pool on 443 was not in used then. I also NAT the VIP on our firewall. The VIP is also resolved on the DNS server and the VIP on .80 was doing good. The problem am having now is that when you try to reach the resolved name of the VIP on the browser it not going through but it working for .80 port. What do I do to get this resolved?
suppose you are accessing VIP on 443 and you have attached 443 pool to it.
If you want to terminate SSL on web-server (backend server), no need to configure any Client and Server SSL profile on the VIP. Just you need to make sure proper certificate is configured on the server itself. So that certificate will be presented to the client during SSL handshake. This would be SSL pass through for F5.
2. Now if you want to terminate SSL on F5 itself. For this, you need to configure Client SSL and Server
SSL profile on the VIP where 443 Pool will be attached. Client SSL profile will include the actual certificate that will be presented to client during SSL handshake. For Server side SSL, you can simply configure default SSL profile available on F5 i.e. serverssl-insecure-compatible. Client SSL would be used for secure session between client and F5. Server SSL will be used for secure session between F5 and backend web server. This would be SSL bridging.
As per your configuration, you can choose option 1 or 2.
I tried the second option you gave to me and it only worked for the APP server but when i tried it on the web server, all the pool member turns RED only the virtual server turns blue and hence it did not work. Please how do i go about this SSL pass through for F5.? I will appreciate if you can give me the guideline to doing it, i have tried going through it but i couldn't get it done.
Once again, thanks for been there for me always. I will appreciate your swift responses.
Hello, in order to use SSL Pass through, you need to have SSL certificate to be imported on the web server and map it to the application. On F5 side, you don't need to configure any client and server SSL profile on the virtual Server. Just configure http profile and enable SNAT if require.
In other scenario, is it possible for you to share Virtual Server and Pool configuration here to check it?
Thanks and God bless you for the assistance so far. I have imported the SSL certificate and mapped it to the application but it still not working. The configurations of the node, pool and VS are here in attached as requested.
Thanks and God bless you for the assistance so far. I have imported the SSL certificate and mapped it to the application but it still not working. The configurations of the node, pool and VS are here in attached as requested.
Hello, thanks for sharing details. As per attached snaps, I can see you have enabled https_443 health monitor under pool but both pool members are showing offline so the pool itself is down. It seems the service 443 is not up and running on your web servers. You can verify it by doing telnet web-server-IP on 443 from the system where your web-server will be reachable. Telnet will fail. So to troubleshoot further, please check below points -
1. Service 443 is properly mapped with your application on the web-server.
2. Certificate is properly mapped.
3. Local Firewall is not restricting the incoming traffic on the web-server.
If telnet is successful from your system, you also need to check if web-server is reachable from F5.
I can't telnet in to the virtual server , i tried it but it was not going. I have checked my firewall also and it allowing traffic from the virtual server, as you can see from the snapshot sent to you the certificate was well mapped , you can even see the certificate through browser while trying to access the virtual server. But i can reach the virtual server through pinging from the tmsh prompt.
I still needs help, please don't be tired of helping me, my company are on my neck, it just have towork
Actually i was asking to check telnet to the Web-Server IP but not F5's Virtual Server. As Pool is showing down, i am suspecting something on the web-Server/application side, not on F5 side.
