ssl offload
12 TopicsHow useful is SSL mirroring when clustering?
When clustering, persistence mirroring is a no-brainer, and connection mirroring can also be useful under the right circumstances, but how about SSL connection mirroring? (https://support.f5.com/csp/article/K7216) Is there a clear performance benefit for the F5 / Client or a security benefit? From what I've heard/read (hardly reliable sources... ;), it may be useful in very large scenarios where you are dealing with very large numbers of SSL sessions and a failover event would otherwise trigger all these SSL connections to re-establish, putting a lot of strain on the system. At the same time, for many smaller systems, that initial strain might be manageable compared to the additional overhead of the synchronization that the SSL synchronization may not be worth it. Not to mention other issues such as the recently discovered bug that means you have to disable SSL caching. (https://cdn.f5.com/product/bugtracker/ID760406.html) Meaning you are now trading one benefit for another... Anybody got any ideas or able to shed any light on it?? Thanks in advance!Solved1.6KViews0likes4CommentsSSL off-loading and secure WebSocket
Hi, We have a Big-IP load balancer, and we are planning to publish a web application that uses secure WebSockets (WSS). We are a little bit concerned about how the load balancer is going to handle this situation, because the SSL offloading. Is there anything special we have to configure or taken care off? Clients will send an HTTPS request with a WebSocket handshake, that includes the HTTP headers "Upgrade:websocket" and "Connection:Upgrade". Will the load balancer populate those headers to the web server? Will the load balancer understand that those connections are persistent and non-HTTP? Thanks.1.2KViews0likes8CommentsSSL Orchestrator config error
Hello, Do you know how to revert or correct a configuration error on sslo? The only way we managed to get rid of an error is to completely delete the sslo config and recreate it again. There is a message saying that we have to click on undeploy and try again but I don't see any undeploy button!! We're running sslo version 5 Thanks248Views0likes1CommentSSL Offloading for BlueCoat explicit proxy
Hello. A client's BlueCoat proxy is falling short on resources. It performs SSL interception so it can inspect the whole packet. Given this, they've asked if and how to configure the F5 so it offloads the SSL, thus having the client part of the proxied connection in plain text (from the proxy's POV). The scenario looks something like this: Client --- -->[F5]------>[BC]----->[F5]------>Internet (The BlueCoat speaking HTTPS with servers is not resource intensive). I have struggled with the SSL intercept iApp, and SSL orchestrator. With SSLO, navigation works, however it seems to not be offloading SSL. Anything is helpful. Thanks!639Views0likes1CommentSSL offload and HTTPs persistence
Hi, Currently i have HTTP clients accessing two Servers in a pool behind an F5. I need persistence towards the two Servers and im using a Persistence Profile with HTTP iRule . Now the customer wants to use HTTPS Clients towards the two Servers which will have HTTPS ports configured. As i want to keep persistence towards the two Servers i understand from reading other posts here that i need to offload SSL in F5 so decrypt, run HTTP Persistence iRule and then encrypt again. Am i correct in that thinking? Im wondering about the way to implement this on F5. Both Servers will have the same SSL cert/key. To make this work do i create a VS with type "standard" and then create a Client and Server SSL Profile using the SSL cert/key from the Servers? As regards the iRule, do i need to modify the rule below replacing HTTP with HTTPS or leave it as is?314Views0likes2CommentsCrypto Client's clientssl profile config issue(External Crypto )
Hi Everyone Who has configured external crypto function ? Crypto Client's clientssl profile cert&key and Crypto Server's crypto-server-default-clientssl profile cert&key is the same? This guide “https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-ssl-administration-12-0-0/18.html” is not very clear about the certificate requirements. Many thanks D.Luo350Views0likes2CommentsAbout F5 VE External Cryptographic issue.
Hi Everyone I refer to this guide https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-ssl-administration-12-0-0/18.html in my lab. Client -----> BIGIP-1 VE v12.1 (Crypto client) -----> BIGIP-2 VE v12.1( Crypto Server ) I used tmsh commany show crypto server have normal output at below. Sys::Crypto Server: my_Crypto_Server Received Packets 156 Received Bytes 6.1K Transmitted Packets 156 Transmitted Bytes 3.8K But client web browser display common name is localhost.localdomain by Crypto client's default clientssl cert,It not by Crypto server's crypto-server-default-clientssl cert. My understanding was that use External Crypto function and its purpose is to use the Crypto server security save and management certificate. The Crypto server is responsible for the final SSL offload function.So I think client browser dispaly certificate should be Crypto server's instead of Crypto client 's localhost.localdomain. Do I understand correctly and How to correctly configured? Many Thanks D.Luo271Views0likes1CommentCertificate Issue : unable to find valid certification path to requested target
Hello, We deployed a staging e-payment application, using a Virtual Server with these properties : port : https protocol profile : mptcp-mobile-optimized HTTP Profile : XFF SSL Profile : 2 certificates - The issued certificate & a second certificate with Default SSL Profile for SNI SNAT Pool : ip in the same subnet as nodes. Pool : 2 pool members with port 7010 I'm using public certificates (signed by CA Verisign G5 & CA Symantec G4) the web page is displayed correctly, & SSL checks says all is ok (tested with "; & ";) the actual issue is that transaction doesn't pass over https (in http it works fine) here's the error message relived from client side : -An exception occured in HTTPProcess sendMessage. Exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. - doPost exception encountered. Exception: java.lang.NullPointerException. can you support us please?1.2KViews0likes6CommentsFull proxy not working when try to use SSL offload + HTTP-to-HTTPS redirect
Hi Everyone I've some question about Full proxy with SSL offload. My scenario is I've web application which run on port 80. And then I try to make it to HTTPS for all path by using F5 LTM policie which redirect all HTTP request to HTTPS and perform SSL offload. Problem is application doesn't working properly after do that. I'm not sure why it's not working. From concept of Full proxy, This should working with no problem because F5 have isolate client-side and server-side (server-side still send traffic on port 80) . At first I think it due to HTML hardcode on application but it's not correct due to F5 still send traffic on port 80 the same as before. Is there any concern when using HTTP-to-HTTPS redirect + SSL offload ? Thank you326Views0likes3CommentsSAN SSL Certificates on F5 LTM
Hello, I have a requirement to offload MS Exchange 2013 (OWA) traffic on F5 LTM. We now need to go for CA signed certificate. As per the F5 documentation LTM supports only SAN certificates not SNI. but I am confused in selecting the certificates from below link. I want to know which certificate I should go for. https://www.thawte.com/ssl/index.html Note: we currently have two domains for which SSL offloading is needed. www.xyz.com mail.xyz.com Regards, Akhtar347Views0likes2Comments