Manual Chapter : Manipulating HTTPS Traffic by Using a Third-Party Device

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 17.1.2, 17.1.1, 17.1.0, 17.0.0

BIG-IP Link Controller

  • 17.1.2, 17.1.1, 17.1.0, 17.0.0

BIG-IP Analytics

  • 17.1.2, 17.1.1, 17.1.0, 17.0.0

BIG-IP LTM

  • 17.1.2, 17.1.1, 17.1.0, 17.0.0

BIG-IP AFM

  • 17.1.2, 17.1.1, 17.1.0, 17.0.0

BIG-IP PEM

  • 17.1.2, 17.1.1, 17.1.0, 17.0.0

BIG-IP DNS

  • 17.1.2, 17.1.1, 17.1.0, 17.0.0

BIG-IP ASM

  • 17.1.2, 17.1.1, 17.1.0, 17.0.0
Manual Chapter

Manipulating HTTPS Traffic by Using a Third-Party Device

Overview: Manipulating HTTPS traffic by using a third-party device

You can configure a BIG-IP device to manage HTTPS traffic by using a third-party device that can intercept and modify the traffic, as necessary. This configuration provides SSL decryption, manipulation, and re-encryption while appearing relatively transparent at layer 2.
When you configure a virtual server to use the Transparent Nexthop control, traffic matching the virtual server is sent to the specified interface and the layer 2 addressing on the ingress packet is preserved. Configuring the Transparent Nexthop to specify the VLAN that is configured with the inspection device eliminates the need to configure a pool, NAT, SNAT, or other load balancing functionality to the inspection device.
Transparent Nexthop functionality requires a license that supports that functionality. If the Transparent Nexthop control does not appear on the New Virtual Server screen, contact your F5 Networks support representative to acquire the necessary license.
The basic process used in this configuration is as follows:
  1. A client sends an HTTPS request to a server by means of the BIG-IP device.
  2. The BIG-IP device intercepts the request, decrypts it, and forwards the request as cleartext to the inspection device.
  3. The inspection device receives and, as necessary, modifies the cleartext request.
  4. The inspection device forwards the cleartext request to the server by means of the BIG-IP device.
  5. The BIG-IP device re-encrypts the cleartext request and sends the ciphertext request to the server.
  6. The server sends a response to the client by means of the BIG-IP device.
  7. The BIG-IP device receives the response, decrypts it, and forwards the response as cleartext to the inspection device.
  8. The inspection device receives and, as necessary, modifies the cleartext response.
  9. The inspection device forwards the cleartext response to the client by means of the BIG-IP device.
  10. The BIG-IP device re-encrypts the cleartext response and sends the ciphertext response to the client.
The following illustration shows an example of a BIG-IP device that manages HTTPS traffic modified by a third-party device.
An example configuration of a BIG-IP device managing HTTPS traffic modified by a third-party device.

Task summary for manipulating HTTPS traffic thru third-party devices

Complete these tasks to configure a BIG-IP® device to manage HTTPS traffic by using a third-party device that can intercept and modify the traffic, as necessary.

Creating a VLAN

VLANs
represent a logical collection of hosts that can share network resources, regardless of their physical location on the network. You create a VLAN to associate physical interfaces with that VLAN.
  1. On the Main tab, click
    Network
    VLANs
    .
    The VLAN List screen opens.
  2. Click
    Create
    .
    The New VLAN screen opens.
  3. In the
    Name
    field, type a unique name for the VLAN.
  4. In the
    Tag
    field, type a numeric tag, between 1-4094, for the VLAN, or leave the field blank if you want the BIG-IP system to automatically assign a VLAN tag.
    The VLAN tag identifies the traffic from hosts in the associated VLAN.
  5. If you want to use Q-in-Q (double) tagging, use the
    Customer Tag
    setting to perform the following two steps. If you do not see the
    Customer Tag
    setting, your hardware platform does not support Q-in-Q tagging and you can skip this step.
    1. From the
      Customer Tag
      list, select
      Specify
      .
    2. Type a numeric tag, from 1-4094, for the VLAN.
    The customer tag specifies the inner tag of any frame passing through the VLAN.
  6. For the
    Interfaces
    setting,
    1. From the
      Interface
      list, select an interface number.
    2. From the
      Tagging
      list, select
      Untagged
      .
    3. Click
      Add
      .
  7. For the
    Hardware SYN Cookie
    setting, select or clear the check box.
    When you enable this setting, the BIG-IP system triggers hardware SYN cookie protection for this VLAN.
    Enabling this setting causes additional settings to appear. These settings appear on specific BIG-IP platforms only.
  8. For the
    Syncache Threshold
    setting, retain the default value or change it to suit your needs.
    The
    Syncache Threshold
    value represents the number of outstanding SYN flood packets on the VLAN that will trigger the hardware SYN cookie protection feature.
    When the
    Hardware SYN Cookie
    setting is enabled, the BIG-IP system triggers SYN cookie protection in either of these cases, whichever occurs first:
    • The number of TCP half-open connections defined in the LTM setting
      Global SYN Check Threshold
      is reached.
    • The number of SYN flood packets defined in this
      Syncache Threshold
      setting is reached.
  9. For the
    SYN Flood Rate Limit
    setting, retain the default value or change it to suit your needs.
    The
    SYN Flood Rate Limit
    value represents the maximum number of SYN flood packets per second received on this VLAN before the BIG-IP system triggers hardware SYN cookie protection for the VLAN.
  10. Click
    Finished
    .
    The screen refreshes, and it displays the new VLAN in the list.

Create a custom Client SSL profile

You create a custom Client SSL profile when you want the BIG-IP system to terminate client-side SSL traffic for the purpose of decrypting client-side ingress traffic and encrypting client-side egress traffic. By terminating client-side SSL traffic, the BIG-IP system offloads these decryption/encryption functions from the destination server. When you perform this task, you can specify multiple certificate key chains, one for each key type (RSA, DSA, and ECDSA). This allows the BIG-IP system to negotiate secure client connections using different cipher suites based on the client's preference.
  1. On the Main tab, click
    Local Traffic
    Profiles
    SSL
    Client
    .
    The Client SSL profile list screen opens.
  2. Click
    Create
    .
    The New Client SSL Profile screen opens.
  3. In the
    Name
    field, type a unique name for the profile.
  4. From the
    Parent Profile
    list, select
    clientssl
    .
  5. Select the
    Custom
    check box.
    The settings become available for change.
  6. From the
    Configuration
    list, select
    Advanced
    .
  7. For the
    Mode
    setting, select the
    Enabled
    check box.
  8. For the
    Certificate Key Chain
    setting, click
    Add
    .
    1. From the
      Certificate
      list, select a certificate name.
      This is the name of a certificate that you installed on the BIG-IP system. If you have not generated a certificate request nor installed a certificate on the BIG-IP system, and the BIG-IP system is not part of a device service clustering (DSC) configuration, you can specify the name of the existing certificate named
      default
      .
      If the BIG-IP system is part of a DSC Sync-Failover group, always select a non-default certificate name, and ensure that this same certificate name is specified in every instance of this SSL profile in the device group. Taking these actions helps to ensure that SSL handshakes are successful after a failover event.
    2. From the
      Key
      list, select the name of the key associated with the certificate specified in the previous step.
      This is the name of a key that you installed on the BIG-IP system. If you have not installed a key on the BIG-IP system, and the BIG-IP system is not part of a device service clustering (DSC) configuration, you can specify the name of the existing key named
      default
      .
      If the BIG-IP system is part of a DSC Sync-Failover group, always select a non-default key name, and ensure that this same key name is specified in every instance of this SSL profile in the device group. Taking these actions helps to ensure that SSL handshakes are successful after a failover event.
    3. From the
      Chain
      list, select the chain that you want to include in the certificate key chain.
      A certificate chain can contain either a series of public key certificates in Privacy Enhanced Mail (PEM) format or a series of one or more PEM files. A certificate chain can contain certificates for Intermediate certificate Authorities (CAs).
      The default self-signed certificate and the default CA bundle certificate are not appropriate for use as a certificate chain.
    4. For the
      Passphrase
      field, type a string that enables access to SSL certificate/key pairs that are stored on the BIG-IP system with password protection.
      This setting is optional. For added security, the BIG-IP system automatically encrypts the pass phrase itself. This pass phrase encryption process is invisible to BIG-IP system administrative users.
    5. Click
      Add
      .
  9. In the
    Certificate Key Chain
    setting, click
    Add
    again, and repeat the process for all certificate key chains that you want to specify.
    At a minimum, you must specify an RSA certificate key chain.
    The result is that all specified key chains appear in the text box.
  10. The
    OCSP Stapling
    setting allows you to select an SSL Online Certificate Status Protocol (OCSP) stapling profile which contains various OCSP stapling parameters. By default this setting is disabled. To enable OCSP stapling, select the
    OCSP Stapling
    check box.
    To enable OCSP stapling, you must first create an OCSP Stapling profile. See
    Creating an OCSP stapling profile
    for detailed steps.
  11. If you want to
    Notify Certificate Status to Virtual Server
    , select the check box.
    This setting is used to communicate SSL certificate revocation status to the virtual server. This is typically implemented in conjunction with an OCSP stapling configuration.
  12. The
    Ciphers
    setting is optional. By default, the Client SSL profile uses the DEFAULT cipher string. In most cases, the DEFAULT cipher string is appropriate, but you can customize it as necessary to meet the security and performance needs of your site. Specify a cipher group or cipher string by choosing one of these options.
    If you specified an ECDSA certificate key chain in the
    Certificate Key Chain
    setting, you must include the cipher string
    ECDHE_ECDSA
    in the cipher group or cipher string that you specify in the
    Ciphers
    setting. (At a minimum, you should specify a cipher group or string such as
    DEFAULT:ECDHE_ECDSA
    .) This is necessary to ensure successful cipher negotiation when the BIG-IP system is offered an ECDSA-based certificate only.
    Option
    Description
    Cipher Group
    Select an existing cipher group from the list when you want to use a system-defined or custom cipher group to define the ciphers that the BIG-IP system uses for negotiating SSL connections. Here's an example of the
    Ciphers
    setting where we've selected a custom cipher group that we created earlier.
    Cipher String
    Type a cipher string in the box if you want to manually specify a cipher string instead of selecting a cipher group. For security and performance reasons, consider following these recommendations:
    • Always append ciphers to the
      DEFAULT
      cipher string.
    • Type a cipher string that includes the ECC key type, because its shorter length speeds up encryption and decryption while still offering virtually the same level of security.
    • Disable ADH ciphers but also include the keyword
      HIGH
      . To do this, just include both
      !ADH
      and
      :HIGH
      in your cipher string.
    • For AES, DES, and RC4 encryption types, make sure you specify the DHE key exchange method. DHE uses
      Forward Privacy
      , which creates a key that it throws away after each session so that the same session key never gets used twice. When you use DHE, make sure that the SSL private key isn't being shared with a monitoring system or a security device like an intrusion detection or prevention system. Also, diagnostic tools like
      ssldump
      won't work when you're using Forward Secrecy.
    • Disable EXPORT ciphers by including
      !EXPORT
      in the cipher string.
    • If you can live with removing support for the SSLv3 protocol version, do it. This protocol version is not secure. Simply include
      :!SSLv3
      in any cipher string you type.
    Here's an example of the
    Ciphers
    setting where we have opted to manually type the cipher string
    DEFAULT:ECDHE-RSA-AES-128-GCM-SHA256:!ADH:!EXPORT:HIGH
    :
  13. When enabled, the
    Options
    setting, references the Options List setting, which are industry standard SSL options and workarounds use for handling SSL processing. The default setting is All Options Disabled. By default, TLSv1.3 is disabled in this configuration.
  14. The
    Options List
    setting provides selection from a set of industry standard SSL options and workarounds for handling SSL processing.
  15. The
    Data 0-RTT
    setting when Enabled, specifies that you can initiate a server connection for early data so to receive the benefits of early data delivered to the server-side early. The default value is Disabled.
  16. When the
    Proxy SSL
    setting is enabled, the client can directly authenticate with the server, and the server can authenticate with the client, based on the client certificate presented. In a typical setup, with the BIG-IP system in the middle, the client and server cannot communicate directly to authenticate each other. The Proxy SSL setting requires both a Client SSL profile and a Server SSL profile, and you must enable the setting in both profiles. For information about the Proxy SSL setting, refer to the following resources:
    1. The
      Implementing Proxy SSL on a Single BIG-IP system
      chapter in this guide.
  17. The
    Proxy SSL Passthrough
    setting allows Proxy SSL to pass traffic when the cipher suite negotiated between client and server is not supported. Disabled by default. If you enable it, you should enable this setting on the server SSL profile as well.
  18. The
    ModSSL Methods
    setting enables or disables ModSSL method emulation. Disabled (cleared) by default. Enable this setting when OpenSSL methods are inadequate. For example, enable it when you want to use SSL compression over TLSv1. When you enable this setting, you can then write an iRule, using the
    HTTP::header insert_modssl_fields
    command, which inserts some of the ModSSL options as headers into HTTP requests. See
    ModSSL options for use with iRules
    section of the
    Additional SSL Profile Configuration Options
    chapter in this guide.
  19. The
    Cache Size
    setting specifies the maximum number of SSL sessions allowed in the SSL session cache. The default value for Cache Size is 262144 sessions. A value of
    0
    disallows session caching.
  20. The
    Cache Timeout
    setting specifies the number of seconds that the system allows SSL sessions to remain in the SSL session cache before removing them. The default value for Cache Timeout is 3600 seconds. The range of values configurable for Cache Timeout is between 0 and 86400 seconds inclusive.
    Longer cache timeout periods can increase the risk of SSL session hijacking.
  21. The
    Alert Timeout
    setting specifies the duration that the system tries to close an SSL connection by transmitting an alert or initiating an unclean shutdown before resetting the connection. Select Indefinite to specify that the connection should not be reset after transmitting an alert or initiating an unclean shutdown. The BIG-IP system sends an RST once the Alert Timeout value has been reached, forcefully aborting the connection early and reducing the amount of data transferred between the peer system and the BIG-IP system. The Immediate value makes the BIG-IP system reset both client and server side flows after 1/1000 seconds.
  22. The
    Handshake Timeout
    setting specifies the number of seconds that the system tries to establish an SSL connection before terminating the operation. Selecting Indefinite specifies that the system continues trying to establish a connection for an unlimited time.
  23. Configure the
    Renegotiation
    setting to control if the virtual server allows midstream session renegotiation. When enabled (default), Renegotiation allows the BIG-IP system to process midstream SSL renegotiation requests. When disabled, the system either terminates the connection or ignores the request, depending on system configuration. See
    Additional SSL Profile Configuration Options
    chapter in this guide for more details.
  24. The
    Renegotiation Period
    setting indicates the amount of time before the system renegotiates the SSL session after the initial connection. If you set it to Indefinite (default), the system does not renegotiate the SSL session.
  25. The
    Renegotiation Size
    setting indicates the amount of application data in megabytes the system must receive from the time of initial connection before it renegotiates the SSL session. If set to Indefinite (default), the system does not renegotiate the SSL session.
  26. The
    Renogotiate Max Record Delay
    setting indicates the number of SSL records allowed during the SSL renegotiation before the system terminates the connection. If set to Indefinite, the system allows an unlimited number.
  27. The
    Secure Renegotiation
    setting specifies the method of secure renegotiation for SSL connections. The default value for the Client SSL profile is
    Require
    . The values for the Secure Renegotiation setting in the Client SSL profile are as follows:
    1. Request
      : Specifies that the system requests secure renegotiation of SSL connections.
    2. Require
      : Specifies that the system requires secure renegotiation of SSL connections. In this mode, the system permits initial SSL handshakes from clients but terminates renegotiations from clients that do not support secure renegotiation.
    3. Require Strict
      : Specifies that the system requires strict, secure renegotiation of SSL connections. In this mode, the system denies initial SSL handshakes from clients that do not support secure renegotiation.
  28. The
    Max Renegotiation
    setting specifies the maximum number of SSL renegotiation attempts per connection that the system can receive in one minute before renegotiating an SSL session. For example, one client with three connections may have a maximum number of SSL renegotiation attempts equal to three times the configured Max Renegotiation value. After the system receives this number of SSL renegotiation records, it closes the connection. This setting applies to client profiles only. The default value is 5.
  29. The
    Max Aggregate Renegotiation
    setting specifies the maximum number of aggregated SSL renegotiation records that the system can receive before renegotiating an SSL session. After the system receives this number of aggregated SSL renegotiation records, it closes the connection. This setting applies to client profiles only. The default value is Indefinite.
  30. The
    Server Name
    setting specifies the fully qualified DNS hostname of the server, or a wildcard string containing the asterisk (*) character to match multiple names, used in the TLS SNI connection. There is no default value for this setting. For information about configuring the TLS SNI feature on the BIG-IP system, see K13452: Configuring a virtual server to serve multiple HTTPS sites using TLS Server Name Indication feature.
  31. When enabled, the
    Default SSL Profile for SNI
    setting indicates that the system should use the profile as the default SSL profile when there is no match to the server name or when the client does not support TLS SNI extension. This setting is disabled by default. For information about configuring the TLS SNI feature on the BIG-IP system, see K13452: Configuring a virtual server to serve multiple HTTPS sites using TLS Server Name Indication feature.
  32. When enabled, the
    Require Peer SNI Support
    setting requires that the client support the TLS SNI extension; otherwise, the BIG-IP system disconnects the client connection with a fatal alert. This setting is disabled by default.
  33. The
    Unclean Shutdown
    setting allows the BIG-IP system to perform an unclean shutdown of SSL connections by closing the underlying TCP connection without sending the SSL close notify alerts. By default, this setting is enabled (selected) and is useful for certain browsers that handle SSL shutdown alerts differently. For example, some versions of Internet Explorer require SSL shutdown alerts from the server while other versions do not, and the SSL profile cannot always detect this requirement. In the case where the browser expects a shutdown alert but the SSL profile has not exchanged one (the default setting), the browser displays an error message.
  34. The
    Strict Resume
    setting enables or disables the resumption of SSL sessions after an unclean shutdown.
  35. The BIG-IP SSL profiles support the stateless TLS session resumption mechanism as described in Internet Engineering Task Force (RFC 5077) . This mechanism allows the BIG-IP system to encapsulate the TLS session state as a ticket to the client and allows the client to subsequently resume a TLS session using the same ticket. Disabled (cleared) by default.
  36. The
    Session Ticket Timeout
    setting specifies the timeout for the session ticket. The default is 0 seconds, which means the system uses the cache timeout.
  37. The
    Session Mirroring
    setting enables or disables the mirroring of SSL session ID data to a high-availability peer. The default setting is Disabled, preventing the system from mirroring SSL session ID data.
  38. When enabled (default), the
    Generic Alert
    setting causes the system to send all SSL alerts using a generic handshake failure message. When the setting is disabled, the system sends more specific SSL alert messages.
  39. The
    Non SSL Connections
    setting enables or disables acceptance of non-SSL connections.
  40. The
    Allow Dynamic Record Sizing
    setting allows a TLS performance improvement preventing buffering and delay of TLS record fragment delivery. The BIG-IP system dynamically adjusts the size of TLS records based on the state of the connection. The disabled by default.
  41. The
    Maximum Record Size
    setting specifies the profile's maximum record size. Set to enabled when you want to allow dynamic record sizing. The range is 128 - 16384. The default setting is 16384.
  42. The
    SSL Sign Hash
    setting specifies the hash algorithm that the BIG-IP system uses to sign server key exchanges with the Diffie-Hellman (DHE), including Elliptic Curve (ECDHE) ciphers, and for certificate verify messages. Possible choices are SHA1, SHA256, SHA384, or Any. When you select Any, you authorize the system to choose any one of the hash algorithms. The BIG-IP system respects the client signature_algorithms extension as defined in TLS 1.2. When possible, the BIG-IP system prefers SHA256 in the handshake signature based on the content of the signature_algorithms extension. The BIG-IP system further upgrades the hash algorithm to Hash SHA384 from SHA256 when P-384 is used. The BIG-IP system attempts to avoid the use of SHA1 in a TLS handshake, except in the case when signatures are used in X.509 certificates (these signatures are created by the X.509 Certificate Authority). The only time the BIG-IP system uses the SHA1 handshake signature is when an RSA key is used and the signature_algorithms extension is missing or - signature_algorithms is present and only lists SHA1.
  43. The
    Peer No-renegotiate Timeout
    setting specifies the number of seconds the system waits before resetting the connection to peer systems that do not renegotiate SSL sessions. The default is 10.
  44. The
    Max Active Handshakes
    setting limits the number of concurrent SSL handshakes. When the number of active SSL handshakes reaches the specified limit, the system terminates the most recent SSL handshake. The default setting is Indefinite, which means that there is no limit.
  45. For information about using the SSL Forward Proxy feature, refer to the
    Implementing SSL Forward Proxy on a Single BIG-IP system
    chapter of the SSL Administration guide.
  46. In the
    Client Authentication
    section, the
    Client Certificate
    setting enables and disables client certificate authentication. The possible options for this setting are:
    1. Ignore
      : The Ignore setting is the default setting. It disables Client Certificate Authentication. The BIG-IP system ignores any certificate presented and does not authenticate the client before establishing the SSL session.
    2. Request
      : The Request setting enables optional Client Certificate Authentication. The BIG-IP system requests a client certificate and attempts to verify it. However, an SSL session is established regardless of whether a trusted CA presents a valid client certificate. The Request setting is often used in conjunction with iRules to provide selective access depending on the certificate presented. For example, this option is useful if you want to allow clients who present a certificate from the configured trusted CA to gain access to the application, while redirecting clients who do not provide the required certificate to a page that details the access requirements. However, if you are not using iRules to enforce a different outcome, depending on the certificate details, there is no functional benefit to using the Request setting instead of the default Ignore setting.
    3. Require
      : The Require setting enforces Client Certificate Authentication. The BIG-IP system requests a client certificate and attempts to verify it. The system establishes an SSL session only if a trusted CA presents a valid client certificate. Use the Require setting to restrict access to only clients that present a valid certificate from a trusted CA.
  47. The
    Frequency
    setting specifies the frequency of client authentication for an SSL session. The default value for this setting is once.
  48. The
    Retain Certificate
    is enabled by default. When this setting is disabled, the client certificate is not stored in an SSL session.
  49. The
    Certificate Chain Traversal Depth
    setting specifies the maximum number of certificates to be traversed in a client certificate chain. The default value is 9.
  50. The
    Trusted Certificate Authorities
    setting specifies a client CA that the system trusts. The default is
    None
    .
    1. None
      : Specifies that no CA is trusted for client-side processing.
    2. ca-bundle
      : Uses the ca-bundle.crt file, which contains all well-known public certificate authority (CA) certificates, for client-side processing.
    3. default
      : Specifies that the trusted CA for client-side processing is the default certificate on the system.
  51. The
    Advertised Certificate Authorities
    setting specifies that the CAs that the system advertises to clients is being trusted by the profile. The default is None.
    1. None
      : Specifies that the system does not advertise any chain as being trusted.
    2. ca-bundle
      : Uses the ca-bundle.crt file, which contains all well-known public certificate authority (CA) certificates, for client-side processing.
    3. default
      : Specifies that the name of the certificate on the system is the default certificate name, which the system advertises as trusted.
  52. The
    CRL File
    setting allows you to specify a CRL that the BIG-IP system should use to check revocation status of a certificate prior to authenticating a client. If you want to use a CRL, you must import it to the BIG-IP system.
  53. The
    Allow Expired CRL File
    setting instructs the system to use the specified CRL file, even if it has expired. Disabled by default.
  54. The
    Client Certificate Constrained Delegation
    setting enables or disables the C3D feature. Using constrained delegation prevents users from having to provide credentials twice for certain authentication actions. For more information on this setting, refer to K72668381: Overview of the SSL Client Certificate Constrained Delegation feature article.
  55. The
    Client Fallback Certificate
    setting specifies the client SSL profile name of the certificate file that is used as the client certificate when the client does not send one during SSL handshake. You can click the + icon to open the create-new OCSP object screen.
  56. The
    OCSP
    setting specifies the SSL client certificate constrained delegation OCSP object that the BIG-IP system's SSL should use to connect to the OCSP responder and check the client certificate status. You can click the + icon to open the create-new SSL Certifcate screen.
  57. The
    Unknown OCSP Response Control
    setting specifies the action the system takes when the OCSP object returns an unknown status. The default value is Drop, which causes the connection to be dropped. Selecting Ignore causes the connection to ignore the unknown status and continue.
  58. In the
    Logging
    section, the
    Log Publisher
    setting specifies the defined Log Publisher for the system to use for logging information.
  59. Click
    Finished
    .
After performing this task, you can see the custom Client SSL profile in the list of Client SSL profiles on the system.

Create a custom Server SSL profile

Create a custom server SSL profile to support SSL forward proxy.
  1. On the Main tab, click
    Local Traffic
    Profiles
    SSL
    Server
    .
    The Server SSL profile list screen opens.
  2. Click
    Create
    .
    The New Server SSL Profile screen opens.
  3. In the
    Name
    field, type a unique name for the profile.
  4. For
    Parent Profile
    , retain the default selection,
    serverssl
    .
  5. From the
    Configuration
    list, select
    Advanced
    .
  6. Select the
    Custom
    check box.
    The settings become available for change.
  7. From the
    SSL Forward Proxy
    list, select
    Enabled
    .
    You can update this setting later, but only while the profile is not assigned to a virtual server.
  8. From the
    SSL Forward Proxy Bypass
    list, select
    Enabled
    (or retain the default value
    Disabled
    ).
    The values of the
    SSL Forward Proxy Bypass
    settings in the server SSL and the client SSL profiles specified in a virtual server must match. You can update this setting later but only while the profile is not assigned to a virtual server.
  9. Scroll down to the
    Secure Renegotiation
    list and select
    Request
    .
  10. For detailed information on the different settings of the SSL:Server page, refer to the
    SSL Traffic Management
    chapter (
    Create a custom Server SSL profile
    section) of the SSL Administration guide.
  11. Click
    Finished
    .

Creating a virtual server to manage clientside HTTPS traffic

You can specify a virtual server that manages clientside HTTPS traffic sent to a third-party device to manipulate traffic.
  1. On the Main tab, click
    Local Traffic
    Virtual Servers
    .
    The Virtual Server List screen opens.
  2. Click
    Create
    .
    The New Virtual Server screen opens.
  3. In the
    Name
    field, type a unique name for the virtual server.
  4. From the
    Type
    list, select
    Standard
    .
  5. For the
    Destination Address/Mask
    setting, confirm that the
    Host
    button is selected, and type the IP address in CIDR format.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is
    10.0.0.1
    or
    10.0.0.0/24
    , and an IPv6 address/prefix is
    ffe1::0020/64
    or
    2001:ed8:77b5:2:10:10:100:42/64
    . When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a
    /32
    prefix.
    The IP address you type must be available and not in the loopback network.
  6. For the
    Service Port
    setting, type
    443
    in the field, or select
    HTTPS
    from the list.
  7. From the
    Protocol Profile (Client)
    list, select
    splitsession-default-tcp
    .
  8. From the
    Configuration
    list, select
    Advanced
    .
  9. From the
    HTTP Profile
    list, select
    http
    .
  10. For the
    SSL Profile (Client)
    setting, from the
    Available
    list, select a Client SSL profile, and using the Move button, move the name to the
    Selected
    list.
  11. From the
    VLAN and Tunnel Traffic
    list, select
    Enablerd on
    .
  12. For the
    VLANs and Tunnels
    setting, move the clientside VLAN to the
    Selected
    list.
  13. From the
    Transparent Nexthop
    list, select the VLAN that you created for the inspection device.
  14. Click
    Finished
    .
The clientside HTTPS virtual server appears in the Virtual Server List screen.

Creating a virtual server to manage serverside traffic

You can specify a virtual server that manages serverside traffic sent from a third-party device to manipulate traffic.
  1. On the Main tab, click
    Local Traffic
    Virtual Servers
    .
    The Virtual Server List screen opens.
  2. Click
    Create
    .
    The New Virtual Server screen opens.
  3. In the
    Name
    field, type a unique name for the virtual server.
  4. From the
    Type
    list, select
    Standard
    .
  5. For the
    Destination Address/Mask
    setting, confirm that the
    Host
    button is selected, and type the IP address in CIDR format.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is
    10.0.0.1
    or
    10.0.0.0/24
    , and an IPv6 address/prefix is
    ffe1::0020/64
    or
    2001:ed8:77b5:2:10:10:100:42/64
    . When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a
    /32
    prefix.
    The IP address you type must be available and not in the loopback network.
  6. For the
    Service Port
    setting, type
    80
    in the field, or select
    HTTP
    from the list.
  7. From the
    Configuration
    list, select
    Advanced
    .
  8. From the
    Protocol Profile (Server)
    list, select
    splitsession-default-tcp
    .
  9. From the
    HTTP Profile
    list, select
    http
    .
  10. For the
    SSL Profile (Server)
    setting, from the
    Available
    list, select a Server SSL profile, and using the Move button, move the name to the
    Selected
    list.
  11. From the
    VLAN and Tunnel Traffic
    list, select
    Enabled on
    .
  12. For the
    VLANs and Tunnels
    setting, move the VLAN that you created for the inspection device to the
    Selected
    list.
  13. From the
    Transparent Nexthop
    list, select the serverside VLAN.
  14. Click
    Finished
    .
The serverside HTTPS virtual server appears in the Virtual Server List screen.

Creating a VLAN group

VLAN groups consolidate Layer 2 traffic from two or more separate VLANs.
  1. On the Main tab, click
    Network
    VLANs
    VLAN Groups
    .
    The VLAN Groups list screen opens.
  2. From the VLAN Groups menu, choose List.
  3. Click
    Create
    .
    The New VLAN Group screen opens.
  4. In the General Properties area, in the
    VLAN Group
    field, type a unique name for the VLAN group.
  5. For the
    VLANs
    setting, from the
    Available
    field select the
    internal
    and
    external
    VLAN names, and click
    <<
    to move the VLAN names to the
    Members
    field.
  6. Click
    Finished
    .