Manual Chapter : Configuring an SSL Intercept Explicit Proxy Mode

Applies To:

Show Versions Show Versions

BIG-IP DNS

  • 14.1.2, 14.1.0, 14.0.1, 14.0.0

BIG-IP Analytics

  • 14.1.2, 14.1.0, 14.0.1, 14.0.0

BIG-IP AFM

  • 14.1.2, 14.1.0, 14.0.1, 14.0.0

BIG-IP PEM

  • 14.1.2, 14.1.0, 14.0.1, 14.0.0

BIG-IP ASM

  • 14.1.2, 14.1.0, 14.0.1, 14.0.0

BIG-IP AAM

  • 14.1.2, 14.1.0, 14.0.1, 14.0.0

BIG-IP APM

  • 14.1.2, 14.1.0, 14.0.1, 14.0.0

BIG-IP LTM

  • 14.1.2, 14.1.0, 14.0.1, 14.0.0
Manual Chapter

Configuring an SSL Intercept Explicit Proxy Mode

About SSL intercept explicit proxy mode

A typical SSL intercept explicity proxy mode configuration includes two BIG-IP devices, one configured to manage half-proxy client traffic and one configured to manage half-proxy server traffic. When the ingress BIG-IP system receives a client request, SSL decrypts the request. The ingress BIG-IP system then sends metadata to the egress BIG-IP system by means of the out-of-band TCP connection and sends the request data to the inspection device. When the egress BIG-IP system receives the metadata through the out-of-band connection and the request from the inspection device, it uses the information in the metadata, re-encrypts the request, and forwards it to the destination server.
The following illustration depicts an example configuration.
An example SSL intercept explicity proxy mode configuration
An example SSL intercept explicity proxy     mode configuration

The SplitSession Client profile type

The SplitSession Client profile defines the client parameters in an SSL intercept explicit proxy mode configuration. This profile enables you to configure a Peer Port, which specifies the port for the SplitSession peer that is connected to the out-of-band connection, and the Peer IP address, which specifies the IP address for the SplitSession peer that is connected to the out-of-band connection.

The SplitSession Server profile type

The SplitSession Server profile defines the server parameters in an SSL intercept explicit proxy mode configuration. This profile enables you to configure a Listen Port, which specifies the port that the SplitSession server listens on for the out-of-band connection, and the Listen IP address, which specifies the IP address that the SplitSession server listens on for the out-of-band connection.

Task summary for configuring SSL intercept explicit proxy mode

Complete these tasks to configure an SSL intercept explicit proxy configuration.

Creating a pool to process HTTP traffic for an inspection device

You can create a pool that includes an inspection device to process HTTP requests.
  1. On the Main tab, click
    Local Traffic
    Pools
    .
    The Pool List screen opens.
  2. Click
    Create
    .
    The New Pool screen opens.
  3. In the
    Name
    field, type a unique name for the pool.
  4. Using the
    New Members
    setting, add each resource that you want to include in the pool:
    1. Type an IP address in the
      Address
      field.
    2. Type
      80
      in the
      Service Port
      field, or select
      HTTP
      from the list.
    3. (Optional) Type a priority number in the
      Priority
      field.
    4. Click
      Add
      .
  5. Click
    Finished
    .
The new pool appears in the Pools list.

Creating an ingress explicit proxy virtual server

Before you configure an ingress explicit proxy virtual server, you need to configure a SplitSession Client profile and pool to assign to the virtual server.
You can configure an ingress explicit proxy virtual server to manage the client split-session half-proxy traffic from a client to the inspection device.
  1. On the Main tab, click
    Local Traffic
    Virtual Servers
    .
    The Virtual Server List screen opens.
  2. Click the
    Create
    button.
    The New Virtual Server screen opens.
  3. In the
    Name
    field, type a unique name for the virtual server.
  4. In the
    Description
    field, type a description of the virtual server.
  5. In the
    Source Address
    field, type
    0.0.0.0/0
    for the source address and prefix length.
  6. In the
    Destination Address
    field, type an IP address in CIDR format.
    The supported format is address/prefix, where the prefix length is in bits. For example, to select all IP addresses, an IPv4 address/prefix is
    0.0.0.0/0
    , and an IPv6 address/prefix is
    ::/0
    . To specify a network, an IPv4 address/prefix is
    10.07.0.0
    or
    10.07.0.0/24
    , and an IPv6 address/prefix is
    ffe1::/64
    or
    2001:ed8:77b5::/64
    . When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a
    /32
    prefix.
    For best results, F5 recommends that you enter the subnet that matches your destination server network.
  7. In the
    Service Port
    field, type
    443
    or select
    HTTPS
    from the list.
  8. From the
    HTTP Profile
    list, select
    http
    .
  9. For the
    SSL Profile (Client)
    setting, select a client SSL profile.
  10. From the
    Protocol
    list, select
    TCP
    .
  11. From the SplitSession Client Profile list, select
    splitsessionclient
    or a custom SplitSession Client profile.
  12. From the
    Default Pool
    list, select the name of the HTTP server pool that you previously created.
  13. Click
    Finished
    .
An ingress explicit proxy virtual server is configured to manage the client split-session half-proxy traffic from a client to the inspection device.

Creating a SplitSession Server profile

You can create a SplitSession Server profile to define the server parameters in an SSL intercept explicit proxy mode configuration.
  1. On the Main tab, click
    Local Traffic
    Profiles
    Other
    SplitSession Server
    .
    The SplitSession Server profile list screen opens.
  2. Click
    Create
    .
    The New SplitSession Server Profile screen opens.
  3. In the
    Name
    field, type a unique name for the profile.
  4. From the
    Parent Profile
    list, retain the default value or select another existing profile of the same type.
  5. In the
    Listen Port
    field, type a value for the the port of the SplitSession server listens on for the out-of-band connection.
  6. In the
    Listen IP
    field, type the IP address of the SplitSession server listens on for the out-of-band connection.
  7. Click
    Finished
    .
A SplitSession Server profile to define the server parameters in an SSL intercept explicit proxy mode configuration is available to assign to a virtual server.

Creating a custom Server SSL profile

Create a custom server SSL profile to support SSL forward proxy.
  1. On the Main tab, click
    Local Traffic
    Profiles
    SSL
    Server
    .
    The Server SSL profile list screen opens.
  2. Click
    Create
    .
    The New Server SSL Profile screen opens.
  3. In the
    Name
    field, type a unique name for the profile.
  4. For
    Parent Profile
    , retain the default selection,
    serverssl
    .
  5. From the
    Configuration
    list, select
    Advanced
    .
  6. Select the
    Custom
    check box.
    The settings become available for change.
  7. From the
    SSL Forward Proxy
    list, select
    Enabled
    .
    You can update this setting later, but only while the profile is not assigned to a virtual server.
  8. From the
    SSL Forward Proxy Bypass
    list, select
    Enabled
    (or retain the default value
    Disabled
    ).
    The values of the
    SSL Forward Proxy Bypass
    settings in the server SSL and the client SSL profiles specified in a virtual server must match. You can update this setting later but only while the profile is not assigned to a virtual server.
  9. Scroll down to the
    Secure Renegotiation
    list and select
    Request
    .
  10. Click
    Finished
    .
The custom Server SSL profile is now listed in the SSL Server profile list.

Creating a pool to manage HTTPS traffic

You can create a pool (a logical set of devices, such as web servers, that you group together to receive and process HTTPS traffic) to efficiently distribute the load on your server resources.
  1. On the Main tab, click
    Local Traffic
    Pools
    .
    The Pool List screen opens.
  2. Click
    Create
    .
    The New Pool screen opens.
  3. In the
    Name
    field, type a unique name for the pool.
  4. For the
    Health Monitors
    setting, assign
    https
    or
    https_443
    by moving it from the
    Available
    list to the
    Active
    list.
  5. From the
    Load Balancing Method
    list, select how the system distributes traffic to members of this pool.
    The default is
    Round Robin
    .
  6. For the
    Priority Group Activation
    setting, specify how to handle priority groups:
    • Select
      Disabled
      to disable priority groups. This is the default option.
    • Select
      Less than
      , and in the
      Available Members
      field type the minimum number of members that must remain available in each priority group in order for traffic to remain confined to that group.
  7. Use the
    New Members
    setting to add each resource that you want to include in the pool:
    1. In the
      Address
      field, type an IP address.
    2. In the
      Service Port
      field type
      443
      , or select
      HTTPS
      from the list.
    3. (Optional) Type a priority number in the
      Priority
      field.
    4. Click
      Add
      .
  8. Click
    Finished
    .
The HTTPS load balancing pool appears in the Pool List screen.

Creating an egress explicit proxy virtual server

Before you configure an egress explicit proxy virtual server, you need to configure a SplitSession Server profile and pool to assign to the virtual server.
You can configure an egress explicit proxy virtual server to manage the server split-session half-proxy traffic from an inspection device to a server.
  1. On the Main tab, click
    Local Traffic
    Virtual Servers
    .
    The Virtual Server List screen opens.
  2. Click the
    Create
    button.
    The New Virtual Server screen opens.
  3. In the
    Name
    field, type a unique name for the virtual server.
  4. In the
    Description
    field, type a description of the virtual server.
  5. In the
    Source Address
    field, type
    0.0.0.0/0
    for the source address and prefix length.
  6. In the
    Destination Address
    field, type an IP address in CIDR format.
    The supported format is address/prefix, where the prefix length is in bits. For example, to select all IP addresses, an IPv4 address/prefix is
    0.0.0.0/0
    , and an IPv6 address/prefix is
    ::/0
    . To specify a network, an IPv4 address/prefix is
    10.07.0.0
    or
    10.07.0.0/24
    , and an IPv6 address/prefix is
    ffe1::/64
    or
    2001:ed8:77b5::/64
    . When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a
    /32
    prefix.
    For best results, F5 recommends that you enter the subnet that matches your destination server network.
  7. In the
    Service Port
    field, type
    443
    or select
    HTTPS
    from the list.
  8. For the
    SSL Profile (Server)
    setting, select a server SSL profile.
  9. From the
    Protocol
    list, select
    TCP
    .
  10. From the SplitSession Server Profile list, select
    splitsessionserver
    or a custom SplitSession Server profile.
  11. From the
    Default Pool
    list, select the name of the HTTP server pool that you previously created.
  12. Click
    Finished
    .
An egress explicit proxy virtual server is configured to manage the server split-session half-proxy traffic from an inspection device to a server.

Creating a SplitSession Client profile

You can create a SplitSession Client profile to define the client parameters in an SSL intercept explicit proxy mode configuration.
  1. On the Main tab, click
    Local Traffic
    Profiles
    Other
    SplitSession Client
    .
    The SplitSession Client profile list screen opens.
  2. Click
    Create
    .
    The New SplitSession Client Profile screen opens.
  3. In the
    Name
    field, type a unique name for the profile.
  4. From the
    Parent Profile
    list, retain the default value or select another existing profile of the same type.
  5. In the
    Peer Port
    field, type a value for the the port of the SplitSession peer assigned to the out-of-band connection.
  6. In the
    Peer IP
    field, type the IP address of the SplitSession peer assigned to the out-of-band connection.
  7. Click
    Finished
    .
A SplitSession Client profile to define the client parameters in an SSL intercept explicit proxy mode configuration is available to assign to a virtual server.

Creating a custom Client SSL profile

You create a custom Client SSL profile when you want the BIG-IP system to terminate client-side SSL traffic for the purpose of:
  • Authenticating and decrypting ingress client-side SSL traffic
  • Re-encrypting egress client-side traffic
By terminating client-side SSL traffic, the BIG-IP system offloads these authentication and decryption/encryption functions from the destination server.
  1. On the Main tab, click
    Local Traffic
    Profiles
    SSL
    Client
    .
    The Client SSL profile list screen opens.
  2. Click
    Create
    .
    The New Client SSL Profile screen opens.
  3. In the
    Name
    field, type a unique name for the profile.
  4. Select
    clientssl
    in the
    Parent Profile
    list.
  5. From the
    Configuration
    list, select
    Advanced
    .
  6. Select the
    Custom
    check box.
    The settings become available for change.
  7. Next to Client Authentication, select the
    Custom
    check box.
    The settings become available.
  8. From the
    Configuration
    list, select
    Advanced
    .
  9. Modify the settings, as required.
  10. Click
    Finished
    .