F5 Logo MyF5
Search
  1. MyF5 Home
  2. BIG-IP Local Traffic Manager: Implementations
  3. Configuring an SSL Intercept Explicit Proxy Mode
Manual Chapter : Configuring an SSL Intercept Explicit Proxy Mode

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0

BIG-IP APM

  • 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0

BIG-IP Analytics

  • 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0

BIG-IP Link Controller

  • 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0

BIG-IP LTM

  • 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0

BIG-IP PEM

  • 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0

BIG-IP AFM

  • 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0

BIG-IP DNS

  • 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0

BIG-IP ASM

  • 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0
Manual Chapter

Configuring an SSL Intercept Explicit Proxy Mode

About SSL intercept explicit proxy mode

A typical SSL intercept explicity proxy mode configuration includes two BIG-IP devices, one configured to manage half-proxy client traffic and one configured to manage half-proxy server traffic. When the ingress BIG-IP system receives a client request, SSL decrypts the request. The ingress BIG-IP system then sends metadata to the egress BIG-IP system by means of the out-of-band TCP connection and sends the request data to the inspection device. When the egress BIG-IP system receives the metadata through the out-of-band connection and the request from the inspection device, it uses the information in the metadata, re-encrypts the request, and forwards it to the destination server.
The following illustration depicts an example configuration.
An example SSL intercept explicity proxy mode configuration
An example SSL intercept explicity proxy mode configuration

The SplitSession Client profile type

The SplitSession Client profile defines the client parameters in an SSL intercept explicit proxy mode configuration. This profile enables you to configure a Peer Port, which specifies the port for the SplitSession peer that is connected to the out-of-band connection, and the Peer IP address, which specifies the IP address for the SplitSession peer that is connected to the out-of-band connection.

The SplitSession Server profile type

The SplitSession Server profile defines the server parameters in an SSL intercept explicit proxy mode configuration. This profile enables you to configure a Listen Port, which specifies the port that the SplitSession server listens on for the out-of-band connection, and the Listen IP address, which specifies the IP address that the SplitSession server listens on for the out-of-band connection.

Task summary for configuring SSL intercept explicit proxy mode

Complete these tasks to configure an SSL intercept explicit proxy configuration.

Creating a pool to process HTTP traffic for an inspection device

You can create a pool that includes an inspection device to process HTTP requests.
  1. On the Main tab, click
    Local Traffic
    Pools
    .
    The Pool List screen opens.
  2. Click
    Create
    .
    The New Pool screen opens.
  3. In the
    Name
     field, type a unique name for the pool.
  4. Using the
    New Members
     setting, add each resource that you want to include in the pool:
    1. Type an IP address in the
      Address
       field.
    2. Type
      80
       in the
      Service Port
       field, or select
      HTTP
       from the list.
    3. (Optional) Type a priority number in the
      Priority
       field.
    4. Click
      Add
      .
  5. Click
    Finished
    .
The new pool appears in the Pools list.

Creating an ingress explicit proxy virtual server

Before you configure an ingress explicit proxy virtual server, you need to configure a SplitSession Client profile and pool to assign to the virtual server.
You can configure an ingress explicit proxy virtual server to manage the client split-session half-proxy traffic from a client to the inspection device.
  1. On the Main tab, click
    Local Traffic
    Virtual Servers
    .
    The Virtual Server List screen opens.
  2. Click
    Create
    .
    The New Virtual Server screen opens.
  3. In the
    Name
     field, type a unique name for the virtual server.
  4. In the
    Description
     field, type a description of the virtual server.
  5. In the
    Source Address
     field, type
    0.0.0.0/0
     for the source address and prefix length.
  6. In the
    Destination Address/Mask
     field, type an IP address in CIDR format.
    The supported format is address/prefix, where the prefix length is in bits. For example, to select all IP addresses, an IPv4 address/prefix is
    0.0.0.0/0
    , and an IPv6 address/prefix is
    ::/0
    . To specify a network, an IPv4 address/prefix is
    10.07.0.0
     or
    10.07.0.0/24
    , and an IPv6 address/prefix is
    ffe1::/64
     or
    2001:ed8:77b5::/64
    . When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a
    /32
     prefix.
    For best results, F5 recommends that you enter the subnet that matches your destination server network.
  7. In the
    Service Port
     field, type
    443
     or select
    HTTPS
     from the list.
  8. From the
    HTTP Profile
     list, select
    http
    .
  9. For the
    SSL Profile (Client)
     setting, select a client SSL profile.
  10. From the
    Protocol
     list, select
    TCP
    .
  11. From the SplitSession Client Profile list, select
    splitsessionclient
     or a custom SplitSession Client profile.
  12. From the
    Default Pool
     list, select the name of the HTTP server pool that you previously created.
  13. Click
    Finished
    .
An ingress explicit proxy virtual server is configured to manage the client split-session half-proxy traffic from a client to the inspection device.

Creating a SplitSession Server profile

You can create a SplitSession Server profile to define the server parameters in an SSL intercept explicit proxy mode configuration.
  1. On the Main tab, click
    Local Traffic
    Profiles
    Other
    SplitSession Server
    .
    The SplitSession Server profile list screen opens.
  2. Click
    Create
    .
    The New SplitSession Server Profile screen opens.
  3. In the
    Name
     field, type a unique name for the profile.
  4. From the
    Parent Profile
     list, retain the default value or select another existing profile of the same type.
  5. In the
    Listen Port
     field, type a value for the the port of the SplitSession server listens on for the out-of-band connection.
  6. In the
    Listen IP
     field, type the IP address of the SplitSession server listens on for the out-of-band connection.
  7. Click
    Finished
    .
A SplitSession Server profile to define the server parameters in an SSL intercept explicit proxy mode configuration is available to assign to a virtual server.

Creating a custom Server SSL profile

Create a custom server SSL profile to support SSL forward proxy.
  1. On the Main tab, click
    Local Traffic
    Profiles
    SSL
    Server
    .
    The Server SSL profile list screen opens.
  2. Click
    Create
    .
    The New Server SSL Profile screen opens.
  3. In the
    Name
     field, type a unique name for the profile.
  4. For
    Parent Profile
    , retain the default selection,
    serverssl
    .
  5. Select the
    Proxy SSL
     check box (the rest of the UI will collapse following this setting).
  6. Optionally, select the
    Proxy SSL Passthrough
     check box.
    This option is often not needed. Review the Knowledge Center article K13385: Overview of the Proxy SSL feature for guidelines on when to enable this setting and its implications.
  7. Configure the
    Certificate
     and
    Key
     using the identical Certificate and Key details configured on the server.
    Import the details to the BIG-IP system prior to configuring
    Proxy SSL
    .
  8. Click
    Finished
    .
The custom Server SSL profile is now listed in the SSL Server profile list.

Creating a pool to manage HTTPS traffic

You can create a pool (a logical set of devices, such as web servers, that you group together to receive and process HTTPS traffic) to efficiently distribute the load on your server resources.
  1. On the Main tab, click
    Local Traffic
    Pools
    .
    The Pool List screen opens.
  2. Click
    Create
    .
    The New Pool screen opens.
  3. In the
    Name
     field, type a unique name for the pool.
  4. For the
    Health Monitors
     setting, assign
    https
     or
    https_443
     by moving it from the
    Available
     list to the
    Active
     list.
  5. From the
    Load Balancing Method
     list, select how the system distributes traffic to members of this pool.
    The default is
    Round Robin
    .
  6. For the
    Priority Group Activation
     setting, specify how to handle priority groups:
    • Select
      Disabled
       to disable priority groups. This is the default option.
    • Select
      Less than
      , and in the
      Available Members
       field type the minimum number of members that must remain available in each priority group in order for traffic to remain confined to that group.
  7. Use the
    New Members
     setting to add each resource that you want to include in the pool:
    1. In the
      Address
       field, type an IP address.
    2. In the
      Service Port
       field type
      443
       , or select
      HTTPS
       from the list.
    3. (Optional) Type a priority number in the
      Priority
       field.
    4. Click
      Add
      .
  8. Click
    Finished
    .
The HTTPS load balancing pool appears in the Pool List screen.

Creating an egress explicit proxy virtual server

Before you configure an egress explicit proxy virtual server, you need to configure a SplitSession Server profile and pool to assign to the virtual server.
You can configure an egress explicit proxy virtual server to manage the server split-session half-proxy traffic from an inspection device to a server.
  1. On the Main tab, click
    Local Traffic
    Virtual Servers
    .
    The Virtual Server List screen opens.
  2. Click
    Create
    .
    The New Virtual Server screen opens.
  3. In the
    Name
     field, type a unique name for the virtual server.
  4. In the
    Description
     field, type a description of the virtual server.
  5. In the
    Source Address
     field, type
    0.0.0.0/0
     for the source address and prefix length.
  6. In the
    Destination Address/Mask
     field, type an IP address in CIDR format.
    The supported format is address/prefix, where the prefix length is in bits. For example, to select all IP addresses, an IPv4 address/prefix is
    0.0.0.0/0
    , and an IPv6 address/prefix is
    ::/0
    . To specify a network, an IPv4 address/prefix is
    10.07.0.0
     or
    10.07.0.0/24
    , and an IPv6 address/prefix is
    ffe1::/64
     or
    2001:ed8:77b5::/64
    . When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a
    /32
     prefix.
    For best results, F5 recommends that you enter the subnet that matches your destination server network.
  7. In the
    Service Port
     field, type
    443
     or select
    HTTPS
     from the list.
  8. For the
    SSL Profile (Server)
     setting, select a server SSL profile.
  9. From the
    Protocol
     list, select
    TCP
    .
  10. From the SplitSession Server Profile list, select
    splitsessionserver
     or a custom SplitSession Server profile.
  11. From the
    Default Pool
     list, select the name of the HTTP server pool that you previously created.
  12. Click
    Finished
    .
An egress explicit proxy virtual server is configured to manage the server split-session half-proxy traffic from an inspection device to a server.

Creating a SplitSession Client profile

You can create a SplitSession Client profile to define the client parameters in an SSL intercept explicit proxy mode configuration.
  1. On the Main tab, click
    Local Traffic
    Profiles
    Other
    SplitSession Client
    .
    The SplitSession Client profile list screen opens.
  2. Click
    Create
    .
    The New SplitSession Client Profile screen opens.
  3. In the
    Name
     field, type a unique name for the profile.
  4. From the
    Parent Profile
     list, retain the default value or select another existing profile of the same type.
  5. In the
    Peer Port
     field, type a value for the the port of the SplitSession peer assigned to the out-of-band connection.
  6. In the
    Peer IP
     field, type the IP address of the SplitSession peer assigned to the out-of-band connection.
  7. Click
    Finished
    .
A SplitSession Client profile to define the client parameters in an SSL intercept explicit proxy mode configuration is available to assign to a virtual server.

Creating a custom Client SSL profile

You create a custom Client SSL profile when you want the BIG-IP system to terminate client-side SSL traffic for the purpose of:
  • Authenticating and decrypting ingress client-side SSL traffic
  • Re-encrypting egress client-side traffic
By terminating client-side SSL traffic, the BIG-IP system offloads these authentication and decryption/encryption functions from the destination server.
  1. On the Main tab, click
    Local Traffic
    Profiles
    SSL
    Client
    .
    The Client SSL profile list screen opens.
  2. Click
    Create
    .
    The New Client SSL Profile screen opens.
  3. In the
    Name
     field, type a unique name for the profile.
  4. Select
    clientssl
     in the
    Parent Profile
     list.
  5. Select the
    Proxy SSL
     check box (the rest of the UI will collapse following this setting).
  6. Optionally, select the
    Proxy SSL Passthrough
     check box.
    This option is often not needed. Review the Knowledge Center article K13385: Overview of the Proxy SSL feature for guidelines on when to enable this setting and its implications.
  7. Configure the
    Certificate Key Chain
    .
    The
    Certificate
     and
    Key
     under ClientSSL profile are not used in
    Proxy SSL
     (since the client and the server will eventually verify each other). F5 recommends leaving the default F5 cert/key pair.
  8. Click
    Finished
    .
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information