Manual Chapter : Manipulating HTTPS Traffic by Using a Third-Party Device

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0

BIG-IP APM

  • 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0

BIG-IP Analytics

  • 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0

BIG-IP Link Controller

  • 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0

BIG-IP LTM

  • 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0

BIG-IP PEM

  • 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0

BIG-IP AFM

  • 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0

BIG-IP DNS

  • 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0

BIG-IP ASM

  • 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0
Manual Chapter

Manipulating HTTPS Traffic by Using a Third-Party Device

Overview: Manipulating HTTPS traffic by using a third-party device

You can configure a BIG-IP® device to manage HTTPS traffic by using a third-party device that can intercept and modify the traffic, as necessary. This configuration provides SSL decryption, manipulation, and re-encryption while appearing relatively transparent at layer 2.
When you configure a virtual server to use the Transparent Nexthop control, traffic matching the virtual server is sent to the specified interface and the layer 2 addressing on the ingress packet is preserved. Configuring the Transparent Nexthop to specify the VLAN that is configured with the inspection device eliminates the need to configure a pool, NAT, SNAT, or other load balancing functionality to the inspection device.
Transparent Nexthop functionality requires a license that supports that functionality. If the Transparent Nexthop control does not appear on the New Virtual Server screen, contact your F5 Networks support representative to acquire the necessary license.
The basic process used in this configuration is as follows:
  1. A client sends an HTTPS request to a server by means of the BIG-IP device.
  2. The BIG-IP device intercepts the request, decrypts it, and forwards the request as cleartext to the inspection device.
  3. The inspection device receives and, as necessary, modifies the cleartext request.
  4. The inspection device forwards the cleartext request to the server by means of the BIG-IP device.
  5. The BIG-IP device re-encrypts the cleartext request and sends the ciphertext request to the server.
  6. The server sends a response to the client by means of the BIG-IP device.
  7. The BIG-IP device receives the response, decrypts it, and forwards the response as cleartext to the inspection device.
  8. The inspection device receives and, as necessary, modifies the cleartext response.
  9. The inspection device forwards the cleartext response to the client by means of the BIG-IP device.
  10. The BIG-IP device re-encrypts the cleartext response and sends the ciphertext response to the client.
The following illustration shows an example of a BIG-IP device that manages HTTPS traffic modified by a third-party device.
An example configuration of a BIG-IP device managing HTTPS traffic modified by a third-party device.

Task summary for manipulating HTTPS traffic thru third-party devices

Complete these tasks to configure a BIG-IP® device to manage HTTPS traffic by using a third-party device that can intercept and modify the traffic, as necessary.

Creating a VLAN

VLANs
represent a logical collection of hosts that can share network resources, regardless of their physical location on the network. You create a VLAN to associate physical interfaces with that VLAN.
  1. On the Main tab, click
    Network
    VLANs
    .
    The VLAN List screen opens.
  2. Click
    Create
    .
    The New VLAN screen opens.
  3. In the
    Name
    field, type a unique name for the VLAN.
  4. In the
    Tag
    field, type a numeric tag, between 1-4094, for the VLAN, or leave the field blank if you want the BIG-IP system to automatically assign a VLAN tag.
    The VLAN tag identifies the traffic from hosts in the associated VLAN.
  5. If you want to use Q-in-Q (double) tagging, use the
    Customer Tag
    setting to perform the following two steps. If you do not see the
    Customer Tag
    setting, your hardware platform does not support Q-in-Q tagging and you can skip this step.
    1. From the
      Customer Tag
      list, select
      Specify
      .
    2. Type a numeric tag, from 1-4094, for the VLAN.
    The customer tag specifies the inner tag of any frame passing through the VLAN.
  6. For the
    Interfaces
    setting,
    1. From the
      Interface
      list, select an interface number.
    2. From the
      Tagging
      list, select
      Untagged
      .
    3. Click
      Add
      .
  7. For the
    Hardware SYN Cookie
    setting, select or clear the check box.
    When you enable this setting, the BIG-IP system triggers hardware SYN cookie protection for this VLAN.
    Enabling this setting causes additional settings to appear. These settings appear on specific BIG-IP platforms only.
  8. For the
    Syncache Threshold
    setting, retain the default value or change it to suit your needs.
    The
    Syncache Threshold
    value represents the number of outstanding SYN flood packets on the VLAN that will trigger the hardware SYN cookie protection feature.
    When the
    Hardware SYN Cookie
    setting is enabled, the BIG-IP system triggers SYN cookie protection in either of these cases, whichever occurs first:
    • The number of TCP half-open connections defined in the LTM setting
      Global SYN Check Threshold
      is reached.
    • The number of SYN flood packets defined in this
      Syncache Threshold
      setting is reached.
  9. For the
    SYN Flood Rate Limit
    setting, retain the default value or change it to suit your needs.
    The
    SYN Flood Rate Limit
    value represents the maximum number of SYN flood packets per second received on this VLAN before the BIG-IP system triggers hardware SYN cookie protection for the VLAN.
  10. Click
    Finished
    .
    The screen refreshes, and displays the new VLAN in the list.

Creating a custom Client SSL profile

You create a custom Client SSL profile when you want the BIG-IP system to terminate client-side SSL traffic for the purpose of:
  • Authenticating and decrypting ingress client-side SSL traffic
  • Re-encrypting egress client-side traffic
By terminating client-side SSL traffic, the BIG-IP system offloads these authentication and decryption/encryption functions from the destination server.
  1. On the Main tab, click
    Local Traffic
    Profiles
    SSL
    Client
    .
    The Client SSL profile list screen opens.
  2. Click
    Create
    .
    The New Client SSL Profile screen opens.
  3. In the
    Name
    field, type a unique name for the profile.
  4. Select
    clientssl
    in the
    Parent Profile
    list.
  5. Select the
    Proxy SSL
    check box (the rest of the UI will collapse following this setting).
  6. Optionally, select the
    Proxy SSL Passthrough
    check box.
    This option is often not needed. Review the Knowledge Center article K13385: Overview of the Proxy SSL feature for guidelines on when to enable this setting and its implications.
  7. Configure the
    Certificate Key Chain
    .
    The
    Certificate
    and
    Key
    under ClientSSL profile are not used in
    Proxy SSL
    (since the client and the server will eventually verify each other). F5 recommends leaving the default F5 cert/key pair.
  8. Click
    Finished
    .

Creating a custom Server SSL profile

Create a custom server SSL profile to support SSL forward proxy.
  1. On the Main tab, click
    Local Traffic
    Profiles
    SSL
    Server
    .
    The Server SSL profile list screen opens.
  2. Click
    Create
    .
    The New Server SSL Profile screen opens.
  3. In the
    Name
    field, type a unique name for the profile.
  4. For
    Parent Profile
    , retain the default selection,
    serverssl
    .
  5. Select the
    Proxy SSL
    check box (the rest of the UI will collapse following this setting).
  6. Optionally, select the
    Proxy SSL Passthrough
    check box.
    This option is often not needed. Review the Knowledge Center article K13385: Overview of the Proxy SSL feature for guidelines on when to enable this setting and its implications.
  7. Configure the
    Certificate
    and
    Key
    using the identical Certificate and Key details configured on the server.
    Import the details to the BIG-IP system prior to configuring
    Proxy SSL
    .
  8. Click
    Finished
    .
The custom Server SSL profile is now listed in the SSL Server profile list.

Task summary for manipulating HTTPS traffic thru third-party devices

Complete these tasks to configure a BIG-IP® device to manage HTTPS traffic by using a third-party device that can intercept and modify the traffic, as necessary.

Creating a virtual server to manage clientside HTTPS traffic

You can specify a virtual server that manages clientside HTTPS traffic sent to a third-party device to manipulate traffic.
  1. On the Main tab, click
    Local Traffic
    Virtual Servers
    .
    The Virtual Server List screen opens.
  2. Click
    Create
    .
    The New Virtual Server screen opens.
  3. In the
    Name
    field, type a unique name for the virtual server.
  4. From the
    Type
    list, select
    Standard
    .
  5. For the
    Destination Address/Mask
    setting, confirm that the
    Host
    button is selected, and type the IP address in CIDR format.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is
    10.0.0.1
    or
    10.0.0.0/24
    , and an IPv6 address/prefix is
    ffe1::0020/64
    or
    2001:ed8:77b5:2:10:10:100:42/64
    . When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a
    /32
    prefix.
    The IP address you type must be available and not in the loopback network.
  6. For the
    Service Port
    setting, type
    443
    in the field, or select
    HTTPS
    from the list.
  7. From the
    Protocol Profile (Client)
    list, select
    splitsession-default-tcp
    .
  8. From the
    Configuration
    list, select
    Advanced
    .
  9. From the
    HTTP Profile
    list, select
    http
    .
  10. For the
    SSL Profile (Client)
    setting, from the
    Available
    list, select a Client SSL profile, and using the Move button, move the name to the
    Selected
    list.
  11. From the
    VLAN and Tunnel Traffic
    list, select
    Enablerd on
    .
  12. For the
    VLANs and Tunnels
    setting, move the clientside VLAN to the
    Selected
    list.
  13. From the
    Transparent Nexthop
    list, select the VLAN that you created for the inspection device.
  14. Click
    Finished
    .
The clientside HTTPS virtual server appears in the Virtual Server List screen.

Creating a virtual server to manage serverside traffic

You can specify a virtual server that manages serverside traffic sent from a third-party device to manipulate traffic.
  1. On the Main tab, click
    Local Traffic
    Virtual Servers
    .
    The Virtual Server List screen opens.
  2. Click
    Create
    .
    The New Virtual Server screen opens.
  3. In the
    Name
    field, type a unique name for the virtual server.
  4. From the
    Type
    list, select
    Standard
    .
  5. For the
    Destination Address/Mask
    setting, confirm that the
    Host
    button is selected, and type the IP address in CIDR format.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is
    10.0.0.1
    or
    10.0.0.0/24
    , and an IPv6 address/prefix is
    ffe1::0020/64
    or
    2001:ed8:77b5:2:10:10:100:42/64
    . When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a
    /32
    prefix.
    The IP address you type must be available and not in the loopback network.
  6. For the
    Service Port
    setting, type
    80
    in the field, or select
    HTTP
    from the list.
  7. From the
    Configuration
    list, select
    Advanced
    .
  8. From the
    Protocol Profile (Server)
    list, select
    splitsession-default-tcp
    .
  9. From the
    HTTP Profile
    list, select
    http
    .
  10. For the
    SSL Profile (Server)
    setting, from the
    Available
    list, select a Server SSL profile, and using the Move button, move the name to the
    Selected
    list.
  11. From the
    VLAN and Tunnel Traffic
    list, select
    Enabled on
    .
  12. For the
    VLANs and Tunnels
    setting, move the VLAN that you created for the inspection device to the
    Selected
    list.
  13. From the
    Transparent Nexthop
    list, select the serverside VLAN.
  14. Click
    Finished
    .
The serverside HTTPS virtual server appears in the Virtual Server List screen.

Creating a VLAN group

VLAN groups consolidate Layer 2 traffic from two or more separate VLANs.
  1. On the Main tab, click
    Network
    VLANs
    VLAN Groups
    .
    The VLAN Groups list screen opens.
  2. From the VLAN Groups menu, choose List.
  3. Click
    Create
    .
    The New VLAN Group screen opens.
  4. In the General Properties area, in the
    VLAN Group
    field, type a unique name for the VLAN group.
  5. For the
    VLANs
    setting, from the
    Available
    field select the
    internal
    and
    external
    VLAN names, and click
    <<
    to move the VLAN names to the
    Members
    field.
  6. Click
    Finished
    .