Manual Chapter :
Implementing SSL Forward Proxy on a Single BIG-IP System
Applies To:
Show VersionsBIG-IP APM
- 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0
BIG-IP Analytics
- 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0
BIG-IP LTM
- 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0
BIG-IP PEM
- 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0
BIG-IP AFM
- 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0
BIG-IP DNS
- 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0
BIG-IP ASM
- 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0
Implementing SSL Forward Proxy on a Single BIG-IP System
Overview: SSL forward proxy client and server authentication
With the BIG-IP system's
SSL forward
proxy
functionality, you can encrypt all traffic between a client and the BIG-IP
system, by using one certificate, and to encrypt all traffic between the BIG-IP system and the
server, by using a different certificate.A client establishes a three-way handshake and SSL connection with the
wildcard IP address of the BIG-IP system virtual server. The BIG-IP system then establishes a
three-way handshake and SSL connection with the server, and receives and validates a server
certificate (while maintaining the separate connection with the client). The BIG-IP system
uses the server certificate to create a second unique server certificate to send to the
client. The client receives the second server certificate from the BIG-IP system, but
recognizes the certificate as originating directly from the server.
To
enable SSL forward proxy functionality, you can either:
- Disassociate existing Client SSL and Server SSL profiles from a virtual server and configure the SSL Forward Proxy settings.
- Create new Client SSL and Server SSL profiles and configure the SSL Forward Proxy settings.
- Client establishes three-way handshake and SSL connection with wildcard IP address.
- BIG-IP system establishes three-way handshake and SSL connection with server.
- BIG-IP system validates a server certificate (Certificate A), while maintaining the separate connection with the client.
- BIG-IP system creates different server certificate (Certificate B) and sends it to client.
Task summary
for SSL Forward Proxy on a single BIG-IP system
To implement SSL forward proxy client-to-server authentication, as well as application data
manipulation, you perform a few basic configuration tasks. Note that you must create both a
Client SSL and a Server SSL profile, and enable the SSL Forward Proxy feature in both
profiles.
Create a custom Client SSL forward proxy profile
You perform this task to create a Client SSL forward proxy profile that makes it
possible for client and server authentication while still allowing the BIG-IP system to perform data optimization, such as decryption
and encryption. This profile applies to client-side SSL forward proxy traffic
only.
- On the Main tab, click.The Client SSL profile list screen opens.
- ClickCreate.The New Client SSL Profile screen opens.
- In theNamefield, type a unique name for the profile.
- From theParent Profilelist, selectclientssl.
- From theSSL Forward Proxylist, selectAdvanced.
- Select theCustomcheck box for the SSL Forward Proxy area.
- Modify the SSL Forward Proxy settings.
- From theSSL Forward Proxylist, selectEnabled.
- From theCA Certificatelist, select a certificate.If the BIG-IP system is part of a DSC Sync-Failover group, always select a non-default certificate name, and ensure that this same certificate name is specified in every instance of this SSL profile in the device group. Taking these actions helps to ensure that SSL handshakes are successful after a failover event.
- From theCA Keylist, select a key.If the BIG-IP system is part of a DSC Sync-Failover group, always select a non-default key name, and ensure that this same key name is specified in every instance of this SSL profile in the device group. Taking these actions helps to ensure that SSL handshakes are successful after a failover event.
- In theCA Passphrasefield, type a passphrase.
- In theConfirm CA Passphrasefield, type the passphrase again.
- In theCertificate Lifespanfield, type a lifespan for the SSL forward proxy certificate in days.
- From theCertificate Extensionslist, selectExtensions List.
- For theCertificate Extensions Listsetting, select the extensions that you want in theAvailable extensionsfield, and move them to theEnabled Extensionsfield using theEnablebutton.
- Select theCache Certificate by Addr-Portcheck box if you want to cache certificates by IP address and port number.
- From theSSL Forward Proxy Bypasslist, selectEnabled.Additional settings display.
- From theBypass Default Actionlist, selectInterceptorBypass.The default action applies to addresses and hostnames that do not match any entry specified in the lists that you specify. The system matches traffic first against destination IP address lists, then source IP address lists, and lastly, hostname lists. Within these, the default action also specifies whether to search the intercept list or the bypass list first.If you selectBypassand do not specify any additional settings, you introduce a security risk to your system.
- ClickFinished.
Creating a custom Server SSL forward proxy profile
You perform this task to create a Server SSL forward proxy profile that makes it
possible for client and server authentication while still allowing the BIG-IP system to perform data optimization, such as decryption and encryption.
This profile applies to server-side SSL forward proxy traffic only.
- On the Main tab, click.The Server SSL profile list screen opens.
- ClickCreate.The New Server SSL Profile screen opens.
- In theNamefield, type a unique name for the profile.
- From theParent Profilelist selectserverssl.
- Select theCustomcheck box for the Configuration area.
- From theSSL Forward Proxylist, selectEnabled.
- ClickFinished.
The custom Server SSL forward proxy profile now appears in the Server SSL profile
list screen.
Creating a load balancing pool
Ensure that at least one virtual server exists in the configuration
before you start to create a load balancing pool.
Create a pool of systems with Access Policy Manager to which
the system can load balance global traffic.
- On the Main tab, click.The Pool List screen opens.
- ClickCreate.The New Pool screen opens.
- In the General Properties area, in theNamefield, type a name for the pool.Names must begin with a letter, and can contain only letters, numbers, and the underscore (_) character.The pool name is limited to 63 characters.
- From theTypelist, depending on the type of the system (IPv4 or IPv6), select either anAorAAAApool type.
- In the Configuration area, for theHealth Monitorssetting, in theAvailablelist, select a monitor type, and move the monitor to theSelectedlist.Hold the Shift or Ctrl key to select more than one monitor at a time.
- In the Members area, for theLoad Balancing Methodsettings, select a method that uses virtual server score:
- VS Score - If you select this method, load balancing decisions are based on the virtual server score only.
- Quality of Service - If you select this method, you must configure weights for up to nine measures of service, includingVS Score. Virtual server score then factors into the load balancing decision at the weight you specify.
- For theMember Listsetting, add virtual servers as members of this load balancing pool.The system evaluates the virtual servers (pool members) in the order in which they are listed. A virtual server can belong to more than one pool.
- Select a virtual server from theVirtual Serverlist.
- ClickAdd.
- ClickFinished.
Creating a virtual server for client-side and server-side SSL traffic
You can specify a virtual server to be either a host virtual server or a network
virtual server to manage application traffic.
- On the Main tab, click.The Virtual Server List screen opens.
- ClickCreate.The New Virtual Server screen opens.
- In theNamefield, type a unique name for the virtual server.
- For a network, in theDestination Address/Maskfield, type an IPv4 or IPv6 address in CIDR format to allow all traffic to be translated.The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is0.0.0.0/0, and an IPv6 address/prefix is::/0.
- In theService Portfield:
- If you want to specify a single service port or all ports, confirm that thePortbutton is selected, and type or select a service port.
- If you want to specify multiple ports other than all ports, select thePort Listbutton, and confirm that the port list that you previously created appears in the box.
- For theSSL Profile (Client)setting, from theAvailablelist, select the name of the Client SSL forward proxy profile you previously created, and using the Move button, move the name to theSelectedlist.To enable SSL forward proxy functionality, you can either:
- Disassociate existing Client SSL and Server SSL profiles from a virtual server and configure the SSL Forward Proxy settings.
- Create new Client SSL and Server SSL profiles and configure the SSL Forward Proxy settings.
Then with either option, select the Client SSL and Server SSL profiles on a virtual server. You cannot modify existing Client SSL and Server SSL profiles while they are selected on a virtual server to enable SSL forward proxy functionality. - For theSSL Profile (Server)setting, from theAvailablelist, select the name of the Server SSL forward proxy profile you previously created, and using the Move button, move the name to theSelectedlist.To enable SSL forward proxy functionality, you can either:
- Disassociate existing Client SSL and Server SSL profiles from a virtual server and configure the SSL Forward Proxy settings.
- Create new Client SSL and Server SSL profiles and configure the SSL Forward Proxy settings.
Then with either option, select the Client SSL and Server SSL profiles on a virtual server. You cannot modify existing Client SSL and Server SSL profiles while they are selected on a virtual server to enable SSL forward proxy functionality. - Assign other profiles to the virtual server if applicable.
- In the Resources area, from theDefault Poollist, select the name of the pool that you created previously.
- ClickFinished.
The virtual server now appears in the Virtual Server List screen.
Implementation result
After you complete the tasks in this implementation, the BIG-IP® system
ensures that the client system and server system can authenticate each other independently. After
client and server authentication, the BIG-IP system can intelligently decrypt and manipulate the
application data according to the configuration settings in the profiles assigned to the virtual
server.