Forum Discussion

Altocumulus

Sep 12, 2023

Solved

VIP-targeting-VIP solution using Standard and performance L4 VS

Is it possible to configure following decrypted application traffic processed in performance L4 virtual server where in the CLient facing Standard virtual server will be performing SSL offloading fu...

application delivery

SSLtraffic

VIP-targetting-VIP

Brandon_
Sep 12, 2023
In that scenario since the standard virtual server is terminating TLS the traffic still all needs to be handled by the first tmm. The fastest path is to just let it do its job and forward the traffic.

Forwarding it to a second virtual server starts another handshake (w/ TCP) between two tmm’s where the second makes a load balancing decision, so essentially you’re adding unnecessary overhead by forwarding just to have a load balancing decision made at the second virtual server.

This is a good reference article. https://my.f5.com/manage/s/article/K8082#l4

The FPGA is in the dataplane on ingress and egress from the switch (iSeries for example) or is the network interface on rSeries. Therefore if the first tmm terminating TLS has to process the traffic, it's being released down to the FPGA for forwarding on egress already.

Brandon_

Employee

Sep 13, 2023

PSFletchTheTek

https://my.f5.com/manage/s/article/K12015

Virtual servers capable of performing SSL decryption/encryption

If you want the BIG-IP system to decrypt and/or encrypt SSL traffic, you must define the following virtual server type:

Standard
The standard virtual server is the only virtual server type that can be associated with Client SSL and Server SSL profiles, and perform SSL decryption and/or encryption. If you want the BIG-IP system to decrypt and/or encrypt SSL traffic, you must import the SSL certificates to the BIG-IP system and configure a standard virtual server and appropriate SSL profile.

As you can see below there is no configuration option for clientssl on anything other than a standard virtual server. But in your scenario, the FPGA fast-path forwarding would happen before TLS termination which needs to be done by tmm. The FPGA and crypto chipsets are different hardware components within a BIG-IP. And tmm pushes the crypto operations to the specialized hardware for offload.

PSFletchTheTek

Cumulonimbus

Sep 13, 2023

Thanks for the explaination, I "thought" that performance L4 had the ssl client/server config in it.
But i'm corrected. I was thinking of HTTP Profiles!

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

GitHub Awesome-F5

Forum Discussion

VIP-targeting-VIP solution using Standard and performance L4 VS

The New F5 Certified BIG-IP Administrator Certification Exams Now Live

F5 Academies Are Back – And We’re Coming to a City Near You

Recent Discussions

APM Access Policy|SSLVPN | SAML auth questionnaires

Cert Bundle Manager

PKI PIN works for users from one network, not the other.

Why does SSLO not support ACTIVE-ACTIVE mode deployments？

r4600 Tenant CPU Assignment

Related Content

Lightboard Lessons: Vip Targeting Vip

Modern Applications-Demystifying Ingress solutions flavors

The Power of &: F5 Hybrid DNS solution

Integrating Security Solutions with F5 BIG-IP SSL Orchestrator

Adaptive Apps: Automating NGINX Solution Deployments and API Publication - Solution Demo

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS