F5 Logo MyF5
Search
  1. MyF5 Home
  2. Knowledge Centers
  3. BIG-IP LTM
  4. BIG-IP Local Traffic Manager: Implementations
  5. Configuring an SSL Intercept Explicit Proxy Mode
Manual Chapter : Configuring an SSL Intercept Explicit Proxy Mode

Applies To:

Show Versions Show Versions
Manual Chapter
Table of Contents | << Previous Chapter | Next Chapter >>

Configuring an SSL Intercept Explicit Proxy Mode

About SSL intercept explicit proxy mode

A typical SSL intercept explicity proxy mode configuration includes two BIG-IP devices, one configured to manage half-proxy client traffic and one configured to manage half-proxy server traffic. When the ingress BIG-IP system receives a client request, SSL decrypts the request. The ingress BIG-IP system then sends metadata to the egress BIG-IP system by means of the out-of-band TCP connection and sends the request data to the inspection device. When the egress BIG-IP system receives the metadata through the out-of-band connection and the request from the inspection device, it uses the information in the metadata, re-encrypts the request, and forwards it to the destination server.

The following illustration depicts an example configuration.

An example SSL intercept explicity proxy mode configuration

An example SSL intercept explicity proxy mode configuration

The SplitSession Client profile type

The SplitSession Client profile defines the client parameters in an SSL intercept explicit proxy mode configuration. This profile enables you to configure a Peer Port, which specifies the port for the SplitSession peer that is connected to the out-of-band connection, and the Peer IP address, which specifies the IP address for the SplitSession peer that is connected to the out-of-band connection.

The SplitSession Server profile type

The SplitSession Server profile defines the server parameters in an SSL intercept explicit proxy mode configuration. This profile enables you to configure a Listen Port, which specifies the port that the SplitSession server listens on for the out-of-band connection, and the Listen IP address, which specifies the IP address that the SplitSession server listens on for the out-of-band connection.

Task summary for configuring SSL intercept explicit proxy mode

Complete these tasks to configure an SSL intercept explicit proxy configuration.

Creating a pool to process HTTP traffic for an inspection device

You can create a pool that includes an inspection device to process HTTP requests.
  1. On the Main tab, click Local Traffic > Pools .
    The Pool List screen opens.
  2. Click Create.
    The New Pool screen opens.
  3. In the Name field, type a unique name for the pool.
  4. Using the New Members setting, add each resource that you want to include in the pool:
    1. Type an IP address in the Address field.
    2. Type 80 in the Service Port field, or select HTTP from the list.
    3. (Optional) Type a priority number in the Priority field.
    4. Click Add.
  5. Click Finished.
The new pool appears in the Pools list.

Creating an ingress explicit proxy virtual server

Before you configure an ingress explicit proxy virtual server, you need to configure a SplitSession Client profile and pool to assign to the virtual server.
You can configure an ingress explicit proxy virtual server to manage the client split-session half-proxy traffic from a client to the inspection device.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the Create button.
    The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. In the Description field, type a description of the virtual server.
  5. In the Source Address field, type 0.0.0.0/0 for the source address and prefix length.
  6. In the Destination Address field, type an IP address in CIDR format.
    The supported format is address/prefix, where the prefix length is in bits. For example, to select all IP addresses, an IPv4 address/prefix is 0.0.0.0/0, and an IPv6 address/prefix is ::/0. To specify a network, an IPv4 address/prefix is 10.07.0.0 or 10.07.0.0/24, and an IPv6 address/prefix is ffe1::/64 or 2001:ed8:77b5::/64. When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a /32 prefix.
    Note: For best results, F5 recommends that you enter the subnet that matches your destination server network.
  7. In the Service Port field, type 443 or select HTTPS from the list.
  8. From the HTTP Profile list, select http.
  9. For the SSL Profile (Client) setting, select a client SSL profile.
  10. From the Protocol list, select TCP.
  11. From the SplitSession Client Profile list, select splitsessionclient or a custom SplitSession Client profile.
  12. From the Default Pool list, select the name of the HTTP server pool that you previously created.
  13. Click Finished.
An ingress explicit proxy virtual server is configured to manage the client split-session half-proxy traffic from a client to the inspection device.

Creating a SplitSession Server profile

You can create a SplitSession Server profile to define the server parameters in an SSL intercept explicit proxy mode configuration.
  1. On the Main tab, click Local Traffic > Profiles > Other > SplitSession Server .
    The SplitSession Server profile list screen opens.
  2. Click Create.
    The New SplitSession Server Profile screen opens.
  3. In the Name field, type a unique name for the profile.
  4. From the Parent Profile list, retain the default value or select another existing profile of the same type.
  5. In the Listen Port field, type a value for the the port of the SplitSession server listens on for the out-of-band connection.
  6. In the Listen IP field, type the IP address of the SplitSession server listens on for the out-of-band connection.
  7. Click Finished.
A SplitSession Server profile to define the server parameters in an SSL intercept explicit proxy mode configuration is available to assign to a virtual server.

Creating a custom Server SSL profile

Create a custom server SSL profile to support SSL forward proxy.
  1. On the Main tab, click Local Traffic > Profiles > SSL > Server .
    The Server SSL profile list screen opens.
  2. Click Create.
    The New Server SSL Profile screen opens.
  3. In the Name field, type a unique name for the profile.
  4. For Parent Profile, retain the default selection, serverssl.
  5. From the Configuration list, select Advanced.
  6. Select the Custom check box.
    The settings become available for change.
  7. From the SSL Forward Proxy list, select Enabled.
    You can update this setting later, but only while the profile is not assigned to a virtual server.
  8. From the SSL Forward Proxy Bypass list, select Enabled (or retain the default value Disabled).
    The values of the SSL Forward Proxy Bypass settings in the server SSL and the client SSL profiles specified in a virtual server must match. You can update this setting later but only while the profile is not assigned to a virtual server.
  9. Scroll down to the Secure Renegotiation list and select Request.
  10. Click Finished.
The custom Server SSL profile is now listed in the SSL Server profile list.

Creating a pool to manage HTTPS traffic

You can create a pool (a logical set of devices, such as web servers, that you group together to receive and process HTTPS traffic) to efficiently distribute the load on your server resources.
  1. On the Main tab, click Local Traffic > Pools .
    The Pool List screen opens.
  2. Click Create.
    The New Pool screen opens.
  3. In the Name field, type a unique name for the pool.
  4. For the Health Monitors setting, assign https or https_443 by moving it from the Available list to the Active list.
  5. From the Load Balancing Method list, select how the system distributes traffic to members of this pool.
    The default is Round Robin.
  6. For the Priority Group Activation setting, specify how to handle priority groups:
    • Select Disabled to disable priority groups. This is the default option.
    • Select Less than, and in the Available Members field type the minimum number of members that must remain available in each priority group in order for traffic to remain confined to that group.
  7. Use the New Members setting to add each resource that you want to include in the pool:
    1. In the Address field, type an IP address.
    2. In the Service Port field type 443 , or select HTTPS from the list.
    3. (Optional) Type a priority number in the Priority field.
    4. Click Add.
  8. Click Finished.
The HTTPS load balancing pool appears in the Pool List screen.

Creating an egress explicit proxy virtual server

Before you configure an egress explicit proxy virtual server, you need to configure a SplitSession Server profile and pool to assign to the virtual server.
You can configure an egress explicit proxy virtual server to manage the server split-session half-proxy traffic from an inspection device to a server.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the Create button.
    The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. In the Description field, type a description of the virtual server.
  5. In the Source Address field, type 0.0.0.0/0 for the source address and prefix length.
  6. In the Destination Address field, type an IP address in CIDR format.
    The supported format is address/prefix, where the prefix length is in bits. For example, to select all IP addresses, an IPv4 address/prefix is 0.0.0.0/0, and an IPv6 address/prefix is ::/0. To specify a network, an IPv4 address/prefix is 10.07.0.0 or 10.07.0.0/24, and an IPv6 address/prefix is ffe1::/64 or 2001:ed8:77b5::/64. When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a /32 prefix.
    Note: For best results, F5 recommends that you enter the subnet that matches your destination server network.
  7. In the Service Port field, type 443 or select HTTPS from the list.
  8. For the SSL Profile (Server) setting, select a server SSL profile.
  9. From the Protocol list, select TCP.
  10. From the SplitSession Server Profile list, select splitsessionserver or a custom SplitSession Server profile.
  11. From the Default Pool list, select the name of the HTTP server pool that you previously created.
  12. Click Finished.
An egress explicit proxy virtual server is configured to manage the server split-session half-proxy traffic from an inspection device to a server.

Creating a SplitSession Client profile

You can create a SplitSession Client profile to define the client parameters in an SSL intercept explicit proxy mode configuration.
  1. On the Main tab, click Local Traffic > Profiles > Other > SplitSession Client .
    The SplitSession Client profile list screen opens.
  2. Click Create.
    The New SplitSession Client Profile screen opens.
  3. In the Name field, type a unique name for the profile.
  4. From the Parent Profile list, retain the default value or select another existing profile of the same type.
  5. In the Peer Port field, type a value for the the port of the SplitSession peer assigned to the out-of-band connection.
  6. In the Peer IP field, type the IP address of the SplitSession peer assigned to the out-of-band connection.
  7. Click Finished.
A SplitSession Client profile to define the client parameters in an SSL intercept explicit proxy mode configuration is available to assign to a virtual server.

Creating a custom Client SSL profile

You create a custom Client SSL profile when you want the BIG-IP system to terminate client-side SSL traffic for the purpose of:
  • Authenticating and decrypting ingress client-side SSL traffic
  • Re-encrypting egress client-side traffic
By terminating client-side SSL traffic, the BIG-IP system offloads these authentication and decryption/encryption functions from the destination server.
  1. On the Main tab, click Local Traffic > Profiles > SSL > Client .
    The Client SSL profile list screen opens.
  2. Click Create.
    The New Client SSL Profile screen opens.
  3. In the Name field, type a unique name for the profile.
  4. Select clientssl in the Parent Profile list.
  5. From the Configuration list, select Advanced.
  6. Select the Custom check box.
    The settings become available for change.
  7. Next to Client Authentication, select the Custom check box.
    The settings become available.
  8. From the Configuration list, select Advanced.
  9. Modify the settings, as required.
  10. Click Finished.
Table of Contents | << Previous Chapter | Next Chapter >>
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5 Networks, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information