F5 Logo MyF5
Search
  1. MyF5 Home
  2. BIG-IP Local Traffic Manager: Implementations
  3. Manipulating HTTPS Traffic by Using a Third-Party Device
Manual Chapter : Manipulating HTTPS Traffic by Using a Third-Party Device

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0

BIG-IP APM

  • 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0

BIG-IP Analytics

  • 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0

BIG-IP Link Controller

  • 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0

BIG-IP LTM

  • 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0

BIG-IP PEM

  • 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0

BIG-IP AFM

  • 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0

BIG-IP DNS

  • 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0

BIG-IP ASM

  • 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0
Manual Chapter

Manipulating HTTPS Traffic by Using a Third-Party Device

Overview: Manipulating HTTPS traffic by using a third-party device

You can configure a BIG-IP device to manage HTTPS traffic by using a third-party device that can intercept and modify the traffic, as necessary. This configuration provides SSL decryption, manipulation, and re-encryption while appearing relatively transparent at layer 2.
When you configure a virtual server to use the Transparent Nexthop control, traffic matching the virtual server is sent to the specified interface and the layer 2 addressing on the ingress packet is preserved. Configuring the Transparent Nexthop to specify the VLAN that is configured with the inspection device eliminates the need to configure a pool, NAT, SNAT, or other load balancing functionality to the inspection device.
Transparent Nexthop functionality requires a license that supports that functionality. If the Transparent Nexthop control does not appear on the New Virtual Server screen, contact your F5 Networks support representative to acquire the necessary license.
The basic process used in this configuration is as follows:
  1. A client sends an HTTPS request to a server by means of the BIG-IP device.
  2. The BIG-IP device intercepts the request, decrypts it, and forwards the request as cleartext to the inspection device.
  3. The inspection device receives and, as necessary, modifies the cleartext request.
  4. The inspection device forwards the cleartext request to the server by means of the BIG-IP device.
  5. The BIG-IP device re-encrypts the cleartext request and sends the ciphertext request to the server.
  6. The server sends a response to the client by means of the BIG-IP device.
  7. The BIG-IP device receives the response, decrypts it, and forwards the response as cleartext to the inspection device.
  8. The inspection device receives and, as necessary, modifies the cleartext response.
  9. The inspection device forwards the cleartext response to the client by means of the BIG-IP device.
  10. The BIG-IP device re-encrypts the cleartext response and sends the ciphertext response to the client.
The following illustration shows an example of a BIG-IP device that manages HTTPS traffic modified by a third-party device.
An example configuration of a BIG-IP device managing HTTPS traffic modified by a third-party device.

Task summary for manipulating HTTPS traffic thru third-party devices

Complete these tasks to configure a BIG-IP device to manage HTTPS traffic by using a third-party device that can intercept and modify the traffic, as necessary.

Creating a VLAN

VLANs
 represent a logical collection of hosts that can share network resources, regardless of their physical location on the network. You create a VLAN to associate physical interfaces with that VLAN.
  1. On the Main tab, click
    Network
    VLANs
    .
    The VLAN List screen opens.
  2. Click
    Create
    .
    The New VLAN screen opens.
  3. In the
    Name
     field, type a unique name for the VLAN.
  4. In the
    Tag
     field, type a numeric tag, between 1-4094, for the VLAN, or leave the field blank if you want the BIG-IP system to automatically assign a VLAN tag.
    The VLAN tag identifies the traffic from hosts in the associated VLAN.
  5. If you want to use Q-in-Q (double) tagging, use the
    Customer Tag
     setting to perform the following two steps. If you do not see the
    Customer Tag
     setting, your hardware platform does not support Q-in-Q tagging and you can skip this step.
    1. From the
      Customer Tag
       list, select
      Specify
      .
    2. Type a numeric tag, from 1-4094, for the VLAN.
    The customer tag specifies the inner tag of any frame passing through the VLAN.
  6. For the
    Interfaces
     setting,
    1. From the
      Interface
       list, select an interface number.
    2. From the
      Tagging
       list, select
      Untagged
      .
    3. Click
      Add
      .
  7. For the
    Hardware SYN Cookie
     setting, select or clear the check box.
    When you enable this setting, the BIG-IP system triggers hardware SYN cookie protection for this VLAN.
    Enabling this setting causes additional settings to appear. These settings appear on specific BIG-IP platforms only.
  8. For the
    Syncache Threshold
     setting, retain the default value or change it to suit your needs.
    The
    Syncache Threshold
     value represents the number of outstanding SYN flood packets on the VLAN that will trigger the hardware SYN cookie protection feature.
    When the
    Hardware SYN Cookie
     setting is enabled, the BIG-IP system triggers SYN cookie protection in either of these cases, whichever occurs first:
    • The number of TCP half-open connections defined in the LTM setting
      Global SYN Check Threshold
       is reached.
    • The number of SYN flood packets defined in this
      Syncache Threshold
       setting is reached.
  9. For the
    SYN Flood Rate Limit
     setting, retain the default value or change it to suit your needs.
    The
    SYN Flood Rate Limit
     value represents the maximum number of SYN flood packets per second received on this VLAN before the BIG-IP system triggers hardware SYN cookie protection for the VLAN.
  10. Click
    Finished
    .
    The screen refreshes, and it displays the new VLAN in the list.

Creating a custom Client SSL profile

You create a custom Client SSL profile when you want the BIG-IP system to terminate client-side SSL traffic for the purpose of:
  • Authenticating and decrypting ingress client-side SSL traffic
  • Re-encrypting egress client-side traffic
By terminating client-side SSL traffic, the BIG-IP system offloads these authentication and decryption/encryption functions from the destination server.
  1. On the Main tab, click
    Local Traffic
    Profiles
    SSL
    Client
    .
    The Client SSL profile list screen opens.
  2. Click
    Create
    .
    The New Client SSL Profile screen opens.
  3. In the
    Name
     field, type a unique name for the profile.
  4. Select
    clientssl
     in the
    Parent Profile
     list.
  5. From the
    Configuration
     list, select
    Advanced
    .
  6. Select the
    Custom
     check box.
    The settings become available for change.
  7. Next to Client Authentication, select the
    Custom
     check box.
    The settings become available.
  8. From the
    Configuration
     list, select
    Advanced
    .
  9. Modify the settings, as required.
  10. Click
    Finished
    .

Creating a custom Server SSL profile

Create a custom server SSL profile to support SSL forward proxy.
  1. On the Main tab, click
    Local Traffic
    Profiles
    SSL
    Server
    .
    The Server SSL profile list screen opens.
  2. Click
    Create
    .
    The New Server SSL Profile screen opens.
  3. In the
    Name
     field, type a unique name for the profile.
  4. For
    Parent Profile
    , retain the default selection,
    serverssl
    .
  5. From the
    Configuration
     list, select
    Advanced
    .
  6. Select the
    Custom
     check box.
    The settings become available for change.
  7. From the
    SSL Forward Proxy
     list, select
    Enabled
    .
    You can update this setting later, but only while the profile is not assigned to a virtual server.
  8. From the
    SSL Forward Proxy Bypass
     list, select
    Enabled
     (or retain the default value
    Disabled
    ).
    The values of the
    SSL Forward Proxy Bypass
     settings in the server SSL and the client SSL profiles specified in a virtual server must match. You can update this setting later but only while the profile is not assigned to a virtual server.
  9. Scroll down to the
    Secure Renegotiation
     list and select
    Request
    .
  10. Click
    Finished
    .
The custom Server SSL profile is now listed in the SSL Server profile list.

Task summary for manipulating HTTPS traffic thru third-party devices

Complete these tasks to configure a BIG-IP device to manage HTTPS traffic by using a third-party device that can intercept and modify the traffic, as necessary.

Creating a virtual server to manage clientside HTTPS traffic

You can specify a virtual server that manages clientside HTTPS traffic sent to a third-party device to manipulate traffic.
  1. On the Main tab, click
    Local Traffic
    Virtual Servers
    .
    The Virtual Server List screen opens.
  2. Click
    Create
    .
    The New Virtual Server screen opens.
  3. In the
    Name
     field, type a unique name for the virtual server.
  4. From the
    Type
     list, select
    Standard
    .
  5. For the
    Destination Address/Mask
     setting, confirm that the
    Host
     button is selected, and type the IP address in CIDR format.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is
    10.0.0.1
     or
    10.0.0.0/24
    , and an IPv6 address/prefix is
    ffe1::0020/64
     or
    2001:ed8:77b5:2:10:10:100:42/64
    . When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a
    /32
     prefix.
    The IP address you type must be available and not in the loopback network.
  6. For the
    Service Port
     setting, type
    443
     in the field, or select
    HTTPS
     from the list.
  7. From the
    Protocol Profile (Client)
     list, select
    splitsession-default-tcp
    .
  8. From the
    Configuration
     list, select
    Advanced
    .
  9. From the
    HTTP Profile
     list, select
    http
    .
  10. For the
    SSL Profile (Client)
     setting, from the
    Available
     list, select a Client SSL profile, and using the Move button, move the name to the
    Selected
     list.
  11. From the
    VLAN and Tunnel Traffic
     list, select
    Enablerd on
    .
  12. For the
    VLANs and Tunnels
     setting, move the clientside VLAN to the
    Selected
     list.
  13. From the
    Transparent Nexthop
     list, select the VLAN that you created for the inspection device.
  14. Click
    Finished
    .
The clientside HTTPS virtual server appears in the Virtual Server List screen.

Creating a virtual server to manage serverside traffic

You can specify a virtual server that manages serverside traffic sent from a third-party device to manipulate traffic.
  1. On the Main tab, click
    Local Traffic
    Virtual Servers
    .
    The Virtual Server List screen opens.
  2. Click
    Create
    .
    The New Virtual Server screen opens.
  3. In the
    Name
     field, type a unique name for the virtual server.
  4. From the
    Type
     list, select
    Standard
    .
  5. For the
    Destination Address/Mask
     setting, confirm that the
    Host
     button is selected, and type the IP address in CIDR format.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is
    10.0.0.1
     or
    10.0.0.0/24
    , and an IPv6 address/prefix is
    ffe1::0020/64
     or
    2001:ed8:77b5:2:10:10:100:42/64
    . When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a
    /32
     prefix.
    The IP address you type must be available and not in the loopback network.
  6. For the
    Service Port
     setting, type
    80
     in the field, or select
    HTTP
     from the list.
  7. From the
    Configuration
     list, select
    Advanced
    .
  8. From the
    Protocol Profile (Server)
     list, select
    splitsession-default-tcp
    .
  9. From the
    HTTP Profile
     list, select
    http
    .
  10. For the
    SSL Profile (Server)
     setting, from the
    Available
     list, select a Server SSL profile, and using the Move button, move the name to the
    Selected
     list.
  11. From the
    VLAN and Tunnel Traffic
     list, select
    Enabled on
    .
  12. For the
    VLANs and Tunnels
     setting, move the VLAN that you created for the inspection device to the
    Selected
     list.
  13. From the
    Transparent Nexthop
     list, select the serverside VLAN.
  14. Click
    Finished
    .
The serverside HTTPS virtual server appears in the Virtual Server List screen.

Creating a VLAN group

VLAN groups consolidate Layer 2 traffic from two or more separate VLANs.
  1. On the Main tab, click
    Network
    VLANs
    VLAN Groups
    .
    The VLAN Groups list screen opens.
  2. From the VLAN Groups menu, choose List.
  3. Click
    Create
    .
    The New VLAN Group screen opens.
  4. In the General Properties area, in the
    VLAN Group
     field, type a unique name for the VLAN group.
  5. For the
    VLANs
     setting, from the
    Available
     field select the
    internal
     and
    external
     VLAN names, and click
    <<
     to move the VLAN names to the
    Members
     field.
  6. Click
    Finished
    .
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information