When you want the BIG-IP system to process application traffic over SSL, you can configure the
system to perform the SSL handshake that destination servers normally perform. This ability for
the BIG-IP system to offload SSL processing from a destination server is an important feature of
the BIG-IP system.
The most common way to configure the BIG-IP system is to create a Client SSL profile, which
makes it possible for the BIG-IP system to decrypt client requests before sending them on to a
server, and encrypt server responses before sending them back to the client.
Within a Client SSL profile specifically, you can specify multiple certificate/key pairs, one
per key type. This enables the system to accept all types of cipher suites that a client might
support as part of creating a secure connection. The system then decrypts the client data,
manipulates any headers or payload according to the way that you configured the Client SSL
profile, and by default, sends the request in clear text to the target server for processing.
For those sites that require enhanced security on their internal network, you can configure a
Server SSL profile. With a Server SSL profile, the BIG-IP system re-encrypts the request before
sending it to the destination server. When the server returns an encrypted response, the BIG-IP
system decrypts and then re-encrypts the response, before sending the response back to the
For more information on configuring SSL and Online Certificate Status Protocol (OCSP) profiles,
see the guide
BIG-IP System: SSL Administration