F5 Logo MyF5
Search
  1. MyF5 Home
  2. Knowledge Centers
  3. BIG-IP LTM
  4. BIG-IP Local Traffic Manager: Implementations
  5. Manipulating HTTPS Traffic by Using a Third-Party Device
Manual Chapter : Manipulating HTTPS Traffic by Using a Third-Party Device

Applies To:

Show Versions Show Versions
Manual Chapter
Table of Contents | << Previous Chapter | Next Chapter >>

Manipulating HTTPS Traffic by Using a Third-Party Device

Overview: Manipulating HTTPS traffic by using a third-party device

You can configure a BIG-IP® device to manage HTTPS traffic by using a third-party device that can intercept and modify the traffic, as necessary. This configuration provides SSL decryption, manipulation, and re-encryption while appearing relatively transparent at layer 2.

When you configure a virtual server to use the Transparent Nexthop control, traffic matching the virtual server is sent to the specified interface and the layer 2 addressing on the ingress packet is preserved. Configuring the Transparent Nexthop to specify the VLAN that is configured with the inspection device eliminates the need to configure a pool, NAT, SNAT, or other load balancing functionality to the inspection device.
Important: Transparent Nexthop functionality requires a license that supports that functionality. If the Transparent Nexthop control does not appear on the New Virtual Server screen, contact your F5® Networks support representative to acquire the necessary license.

The basic process used in this configuration is as follows:

  1. A client sends an HTTPS request to a server by means of the BIG-IP device.
  2. The BIG-IP device intercepts the request, decrypts it, and forwards the request as cleartext to the inspection device.
  3. The inspection device receives and, as necessary, modifies the cleartext request.
  4. The inspection device forwards the cleartext request to the server by means of the BIG-IP device.
  5. The BIG-IP device re-encrypts the cleartext request and sends the ciphertext request to the server.
  6. The server sends a response to the client by means of the BIG-IP device.
  7. The BIG-IP device receives the response, decrypts it, and forwards the response as cleartext to the inspection device.
  8. The inspection device receives and, as necessary, modifies the cleartext response.
  9. The inspection device forwards the cleartext response to the client by means of the BIG-IP device.
  10. The BIG-IP device re-encrypts the cleartext response and sends the ciphertext response to the client.

The following illustration shows an example of a BIG-IP device that manages HTTPS traffic modified by a third-party device.

An example configuration of a BIG-IP device managing HTTPS traffic modified by a third-party device.

Task summary for manipulating HTTPS traffic thru third-party devices

Complete these tasks to configure a BIG-IP® device to manage HTTPS traffic by using a third-party device that can intercept and modify the traffic, as necessary.

Creating a VLAN

VLANs represent a logical collection of hosts that can share network resources, regardless of their physical location on the network. You create a VLAN to associate physical interfaces with that VLAN.
  1. On the Main tab, click Network > VLANs .
    The VLAN List screen opens.
  2. Click Create.
    The New VLAN screen opens.
  3. In the Name field, type a unique name for the VLAN.
  4. In the Tag field, type a numeric tag, between 1-4094, for the VLAN, or leave the field blank if you want the BIG-IP system to automatically assign a VLAN tag.
    The VLAN tag identifies the traffic from hosts in the associated VLAN.
  5. If you want to use Q-in-Q (double) tagging, use the Customer Tag setting to perform the following two steps. If you do not see the Customer Tag setting, your hardware platform does not support Q-in-Q tagging and you can skip this step.
    1. From the Customer Tag list, select Specify.
    2. Type a numeric tag, from 1-4094, for the VLAN.
    The customer tag specifies the inner tag of any frame passing through the VLAN.
  6. For the Interfaces setting,
    1. From the Interface list, select an interface number.
    2. From the Tagging list, select Untagged.
    3. Click Add.
  7. For the Hardware SYN Cookie setting, select or clear the check box.
    When you enable this setting, the BIG-IP system triggers hardware SYN cookie protection for this VLAN.
    Enabling this setting causes additional settings to appear. These settings appear on specific BIG-IP platforms only.
  8. For the Syncache Threshold setting, retain the default value or change it to suit your needs.
    The Syncache Threshold value represents the number of outstanding SYN flood packets on the VLAN that will trigger the hardware SYN cookie protection feature.

    When the Hardware SYN Cookie setting is enabled, the BIG-IP system triggers SYN cookie protection in either of these cases, whichever occurs first:

    • The number of TCP half-open connections defined in the LTM setting Global SYN Check Threshold is reached.
    • The number of SYN flood packets defined in this Syncache Threshold setting is reached.
  9. For the SYN Flood Rate Limit setting, retain the default value or change it to suit your needs.
    The SYN Flood Rate Limit value represents the maximum number of SYN flood packets per second received on this VLAN before the BIG-IP system triggers hardware SYN cookie protection for the VLAN.
  10. Click Finished.
    The screen refreshes, and displays the new VLAN in the list.

Creating a custom Client SSL profile

You create a custom Client SSL profile when you want the BIG-IP system to terminate client-side SSL traffic for the purpose of:
  • Authenticating and decrypting ingress client-side SSL traffic
  • Re-encrypting egress client-side traffic
By terminating client-side SSL traffic, the BIG-IP system offloads these authentication and decryption/encryption functions from the destination server.
  1. On the Main tab, click Local Traffic > Profiles > SSL > Client .
    The Client SSL profile list screen opens.
  2. Click Create.
    The New Client SSL Profile screen opens.
  3. In the Name field, type a unique name for the profile.
  4. Select clientssl in the Parent Profile list.
  5. From the Configuration list, select Advanced.
  6. Select the Custom check box.
    The settings become available for change.
  7. Next to Client Authentication, select the Custom check box.
    The settings become available.
  8. From the Configuration list, select Advanced.
  9. Modify the settings, as required.
  10. Click Finished.

Creating a custom Server SSL profile

Create a custom server SSL profile to support SSL forward proxy.
  1. On the Main tab, click Local Traffic > Profiles > SSL > Server .
    The Server SSL profile list screen opens.
  2. Click Create.
    The New Server SSL Profile screen opens.
  3. In the Name field, type a unique name for the profile.
  4. For Parent Profile, retain the default selection, serverssl.
  5. From the Configuration list, select Advanced.
  6. Select the Custom check box.
    The settings become available for change.
  7. From the SSL Forward Proxy list, select Enabled.
    You can update this setting later, but only while the profile is not assigned to a virtual server.
  8. From the SSL Forward Proxy Bypass list, select Enabled (or retain the default value Disabled).
    The values of the SSL Forward Proxy Bypass settings in the server SSL and the client SSL profiles specified in a virtual server must match. You can update this setting later but only while the profile is not assigned to a virtual server.
  9. Scroll down to the Secure Renegotiation list and select Request.
  10. Click Finished.
The custom Server SSL profile is now listed in the SSL Server profile list.

Task summary for manipulating HTTPS traffic thru third-party devices

Complete these tasks to configure a BIG-IP® device to manage HTTPS traffic by using a third-party device that can intercept and modify the traffic, as necessary.

Creating a virtual server to manage clientside HTTPS traffic

You can specify a virtual server that manages clientside HTTPS traffic sent to a third-party device to manipulate traffic.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the Create button.
    The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. From the Type list, select Standard.
  5. In the Destination Address field, type the IP address in CIDR format.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is 10.0.0.1 or 10.0.0.0/24, and an IPv6 address/prefix is ffe1::0020/64 or 2001:ed8:77b5:2:10:10:100:42/64. When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a /32 prefix.
    Note: The IP address you type must be available and not in the loopback network.
  6. For the Service Port setting, type 443 in the field, or select HTTPS from the list.
  7. From the Protocol Profile (Client) list, select splitsession-default-tcp.
  8. From the Configuration list, select Advanced.
  9. From the HTTP Profile list, select http.
  10. For the SSL Profile (Client) setting, from the Available list, select a Client SSL profile, and using the Move button, move the name to the Selected list.
  11. From the VLAN and Tunnel Traffic list, select Enablerd on.
  12. For the VLANs and Tunnels setting, move the clientside VLAN to the Selected list.
  13. From the Transparent Nexthop list, select the VLAN that you created for the inspection device.
  14. Click Finished.
The clientside HTTPS virtual server appears in the Virtual Server List screen.

Creating a virtual server to manage serverside traffic

You can specify a virtual server that manages serverside traffic sent from a third-party device to manipulate traffic.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the Create button.
    The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. From the Type list, select Standard.
  5. In the Destination Address field, type the IP address in CIDR format.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is 10.0.0.1 or 10.0.0.0/24, and an IPv6 address/prefix is ffe1::0020/64 or 2001:ed8:77b5:2:10:10:100:42/64. When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a /32 prefix.
    Note: The IP address you type must be available and not in the loopback network.
  6. For theService Port setting, type 80 in the field, or select HTTP from the list.
  7. From the Configuration list, select Advanced.
  8. From the Protocol Profile (Server) list, select splitsession-default-tcp.
  9. From the HTTP Profile list, select http.
  10. For the SSL Profile (Server) setting, from the Available list, select a Server SSL profile, and using the Move button, move the name to the Selected list.
  11. From the VLAN and Tunnel Traffic list, select Enabled on.
  12. For the VLANs and Tunnels setting, move the VLAN that you created for the inspection device to the Selected list.
  13. From the Transparent Nexthop list, select the serverside VLAN.
  14. Click Finished.
The serverside HTTPS virtual server appears in the Virtual Server List screen.

Creating a VLAN group

VLAN groups consolidate Layer 2 traffic from two or more separate VLANs.
  1. On the Main tab, click Network > VLANs > VLAN Groups .
    The VLAN Groups list screen opens.
  2. From the VLAN Groups menu, choose List.
  3. Click Create.
    The New VLAN Group screen opens.
  4. In the General Properties area, in the VLAN Group field, type a unique name for the VLAN group.
  5. For the VLANs setting, from the Available field select the internal and external VLAN names, and click << to move the VLAN names to the Members field.
  6. Click Finished.
Table of Contents | << Previous Chapter | Next Chapter >>
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5 Networks, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information