Manual Chapter :
Implementing SSL Forward Proxy on a Single BIG-IP System
Applies To:
Show Versions
Implementing SSL Forward Proxy on a Single BIG-IP System
Overview: SSL forward proxy client and server authentication
With the BIG-IP system's
SSL forward
proxy
functionality, you can encrypt all traffic between a client and the BIG-IP
system, by using one certificate, and to encrypt all traffic between the BIG-IP system and the
server, by using a different certificate.A client establishes a three-way handshake and SSL connection with the
wildcard IP address of the BIG-IP system virtual server. The BIG-IP system then establishes a
three-way handshake and SSL connection with the server, and receives and validates a server
certificate (while maintaining the separate connection with the client). The BIG-IP system
uses the server certificate to create a second unique server certificate to send to the
client. The client receives the second server certificate from the BIG-IP system, but
recognizes the certificate as originating directly from the server.
To
enable SSL forward proxy functionality, you can either:
- Disassociate existing Client SSL and Server SSL profiles from a virtual server and configure the SSL Forward Proxy settings.
- Create new Client SSL and Server SSL profiles and configure the SSL Forward Proxy settings.
A virtual server configured with Client and Server SSL profiles
for SSL forward proxy functionality
- Client establishes three-way handshake and SSL connection with wildcard IP address.
- BIG-IP system establishes three-way handshake and SSL connection with server.
- BIG-IP system validates a server certificate (Certificate A), while maintaining the separate connection with the client.
- BIG-IP system creates different server certificate (Certificate B) and sends it to client.
