X-Forwarded-for with SSL Passthrough (no offloading on LTM)
Hi, Is there a way to get X-forwarded-for working with SSL passthrough (NO offloading)? I have some system owners who refuse to have any form of "man in the middle" sessions and require the F5 to pass all SSL sessions directly to the web servers, so I cannot do any form of SSL offloading or SSL Proxy'ing. I've had success using an HTTP profile with x-forwarded-for enabled, however, I know you cannot use an HTTP profile if the VS is set to use 443. Is there perhaps an iRule I could use and if so what would it look like, or something else as simple as enabling X-forwarded-for elsewhere? (I'm very new to F5 / LTM so any detailed steps would be greatly appreciated) Thanks in advance!
Forward proxy with SSL passthrough - SWG license required?
Hi, At one site with a single v15 VE I need to proxy outbound traffic, but without SSL inspection. Most docs relating to SSL passthrough assume that targets are internal and pooled but this is not my scenario: internal clients must connect to numerous (but specified) external URLs outside my control, and whose IPs are constantly changing. This similar query states solved via iApp but does not specify which one, or much detail on the final config. Regarding the license aspect, other proxy-related posts refer to the need for SWG license (which I don't have) - would I need this? The documentation for this use-case is unclear; any comments/tips gratefully received! Cheers, auto
TLS handshake in passthrough scenario
Hi All, This might be a basic question but i would like to know how the SSL/TLS handshake takes place in a SSL passthrough scenario. If we are not doing the offloading, there is no certificate on the F5 installed than how will the handshake happen? Will the tls hello packets be forwarded directly to the backend server? I couldn't find any documentation on this scenario. Any help would be great. I assume this would be the case for any loadbalancer and not just F5. Thanks!OWA + http profile not working
I need help getting Outlook Web App working. We currently have a test environment with exchange. We have OWA working just fine. The user goes to:https://outlook-test.mycompany.com. The default html on the www root redirects them to https://outlook-test.mycompany.com/owa. Then it hits the OWA app (I presume) and gets redirected to:https://outlook-test.mycompany.com/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2foutlook-test.mycompany.com%2fowa%2f. That all works fine, but here comes the F5 part. I need to start moving things behind the F5, and the exchange environment is not currently behind the F5. For a separate project I need to setup external access to OWA using F5 APM and SAML. What I’m trying to do is get it working in our test environment without breaking the current OWA access. I can get it working, but once I get into the APM aspect it breaks, so I’m taking a few steps back and trying to figure out what is breaking it. Scenario 1 – THIS WORKS Setup a virtual server using the IIS template. Set up SSL passthrough, point the VIP at the two two CAS/HUB servers. This works! The user goes to:https://outlook-test-f5.mycompany.com. The default html on the www root redirects them to https://outlook-test-f5.mycompany.com/owa. Then it hits the OWA app (I presume) and gets redirected to:https://outlook-test-f5.mycompany.com/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2foutlook-test-f5.mycompany.com%2fowa%2f. However, to use an access policy I need to have an HTTP profile. When I add an HTTP profile then everything breaks. After doing a little reading I came to the conclusion that if I had an HTTP profile that I needed to do SSL bridging. So I changed it from SSL pass through to SSL bridging and created an SSL client and SSL server profile. Once I add a client and server SSL profile (as well as an HTTP profile) I hit the F5 and it looks like I’m getting the “root” redirect to /owa, but (see step 2 above) but then I never get the next redirect to /owa/auth/logon.aspx… I know little to nothing about OWA. Not sure why I can get this to work without the HTTP profile doing SSL passthrough, but then break it as soon as I start doing SSL bridging. Thoughts?