Currently I have a standard VIP setup using a SSL client profile and SSL server profile. How do I configure it for pass-through?

To answer this How to configure SSL Pass-through There's nothing to configure on the F5 for ssl 'passthrough'. It just means the SSL traffic is passed as it is through the F5 to the backend servers, not terminated on the F5. No layer 7 processing can be performed on the F5 as traffic is encrypted.

If you want to still be able to use an HTTP profile you will have to select the Proxy SSL option in both of your profiles. That will also require your pool members to support all the ciphers you make available in the client SSL profile and you will need to disable Diffie-Hellman ciphers. https://support.f5.com/kb/en-us/solutions/public/13000/300/sol13385.html If you don't need to use an HTTP profile you can just remove both of your client and server SSL profiles.

I do have to use the HTTP profile because I need to have a persistence setting SSLSERVER. But can this be done just on the VIP or do I have to create a custom server profile just for this VIP so I don't affect the parent profile for other VIP's and select the Proxy SSL. Also to confirm I need to do this on the Client and the Server side SSL profile?

How to configure SSL Pass-through

17 Replies

RiadSanchz
Cirrus
Feb 08, 2018
To answer this How to configure SSL Pass-through

There's nothing to configure on the F5 for ssl 'passthrough'. It just means the SSL traffic is passed as it is through the F5 to the backend servers, not terminated on the F5. No layer 7 processing can be performed on the F5 as traffic is encrypted.
Brad_Parker_139
Nacreous
Nov 17, 2015
If you want to still be able to use an HTTP profile you will have to select the Proxy SSL option in both of your profiles. That will also require your pool members to support all the ciphers you make available in the client SSL profile and you will need to disable Diffie-Hellman ciphers. https://support.f5.com/kb/en-us/solutions/public/13000/300/sol13385.html

If you don't need to use an HTTP profile you can just remove both of your client and server SSL profiles.
- Andre_Lofton_14
  Nimbostratus
  Nov 18, 2015
  I do have to use the HTTP profile because I need to have a persistence setting SSLSERVER. But can this be done just on the VIP or do I have to create a custom server profile just for this VIP so I don't affect the parent profile for other VIP's and select the Proxy SSL. Also to confirm I need to do this on the Client and the Server side SSL profile?
- Brad_Parker_139
  Nacreous
  Nov 18, 2015
  yes, you should create a custom client and server SSL profile and enable it on both. Be sure to read the SOL for any gotchas. Also, you say you need an HTTP profile for persistence. What kind of persistence are you using?
- R_Marc_77962
  Nimbostratus
  Nov 19, 2015
  Persistence can be done on SSL session ID as well. Not quite as good, in general, as cookie insert but better than source IP. If you are proxying http traffic, however, you have more options available to you with an http profile. If it's TCP over SSL of a non-HTTP variety, obviously don't. Also, IMNSHO, always create a custom profile, for every VIP and every profile type (same for persistence). I've seen too many clients break because of an innocuous change to one of the default profiles (also it's very cheap to say "create ltm profile my-new-profile- { } ")
Brad_Parker
Cirrus
Nov 17, 2015
If you want to still be able to use an HTTP profile you will have to select the Proxy SSL option in both of your profiles. That will also require your pool members to support all the ciphers you make available in the client SSL profile and you will need to disable Diffie-Hellman ciphers. https://support.f5.com/kb/en-us/solutions/public/13000/300/sol13385.html

If you don't need to use an HTTP profile you can just remove both of your client and server SSL profiles.
- Andre_Lofton_14
  Nimbostratus
  Nov 18, 2015
  I do have to use the HTTP profile because I need to have a persistence setting SSLSERVER. But can this be done just on the VIP or do I have to create a custom server profile just for this VIP so I don't affect the parent profile for other VIP's and select the Proxy SSL. Also to confirm I need to do this on the Client and the Server side SSL profile?
- Brad_Parker
  Cirrus
  Nov 18, 2015
  yes, you should create a custom client and server SSL profile and enable it on both. Be sure to read the SOL for any gotchas. Also, you say you need an HTTP profile for persistence. What kind of persistence are you using?
- R_Marc_77962
  Nimbostratus
  Nov 19, 2015
  Persistence can be done on SSL session ID as well. Not quite as good, in general, as cookie insert but better than source IP. If you are proxying http traffic, however, you have more options available to you with an http profile. If it's TCP over SSL of a non-HTTP variety, obviously don't. Also, IMNSHO, always create a custom profile, for every VIP and every profile type (same for persistence). I've seen too many clients break because of an innocuous change to one of the default profiles (also it's very cheap to say "create ltm profile my-new-profile- { } ")
Randy_O__307506
Nimbostratus
Sep 25, 2017
Question on this please. If no client/server SSL profiles are defined on the F5, therefore only pass-though as originally stated, does that mean the client --> f5 connection is unencrypted and will show as such in a packet capture? Note: this question is directed at Brad Parker's answer.