Applies To:
Show VersionsBIG-IP AAM
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
BIG-IP APM
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
BIG-IP Link Controller
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
BIG-IP Analytics
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
BIG-IP LTM
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
BIG-IP AFM
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
BIG-IP PEM
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
BIG-IP DNS
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
BIG-IP ASM
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
About SSL intercept explicit proxy mode
A typical SSL intercept explicity proxy mode configuration includes two BIG-IP devices, one configured to manage half-proxy client traffic and one configured to manage half-proxy server traffic. When the ingress BIG-IP system receives a client request, SSL decrypts the request. The ingress BIG-IP system then sends metadata to the egress BIG-IP system by means of the out-of-band TCP connection and sends the request data to the inspection device. When the egress BIG-IP system receives the metadata through the out-of-band connection and the request from the inspection device, it uses the information in the metadata, re-encrypts the request, and forwards it to the destination server.
The following illustration depicts an example configuration.
An example SSL intercept explicity proxy mode configuration
The SplitSession Client profile type
The SplitSession Client profile defines the client parameters in an SSL intercept explicit proxy mode configuration. This profile enables you to configure a Peer Port, which specifies the port for the SplitSession peer that is connected to the out-of-band connection, and the Peer IP address, which specifies the IP address for the SplitSession peer that is connected to the out-of-band connection.
The SplitSession Server profile type
The SplitSession Server profile defines the server parameters in an SSL intercept explicit proxy mode configuration. This profile enables you to configure a Listen Port, which specifies the port that the SplitSession server listens on for the out-of-band connection, and the Listen IP address, which specifies the IP address that the SplitSession server listens on for the out-of-band connection.
Task Summary
Complete these tasks to configure an SSL intercept explicit proxy configuration.
Creating a SplitSession Client profile
Creating a custom Client SSL profile
You perform this task to create a Client SSL profile that makes it possible for direct client-server authentication while still allowing the BIG-IP system to perform data optimization, such as decryption and encryption. This profile applies to client-side SSL traffic only.