Manual Chapter : Configuring an SSL Intercept Explicit Proxy Mode

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0

BIG-IP APM

  • 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0

BIG-IP Link Controller

  • 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0

BIG-IP Analytics

  • 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0

BIG-IP LTM

  • 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0

BIG-IP AFM

  • 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0

BIG-IP PEM

  • 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0

BIG-IP DNS

  • 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0

BIG-IP ASM

  • 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
Manual Chapter

About SSL intercept explicit proxy mode

A typical SSL intercept explicity proxy mode configuration includes two BIG-IP devices, one configured to manage half-proxy client traffic and one configured to manage half-proxy server traffic. When the ingress BIG-IP system receives a client request, SSL decrypts the request. The ingress BIG-IP system then sends metadata to the egress BIG-IP system by means of the out-of-band TCP connection and sends the request data to the inspection device. When the egress BIG-IP system receives the metadata through the out-of-band connection and the request from the inspection device, it uses the information in the metadata, re-encrypts the request, and forwards it to the destination server.

The following illustration depicts an example configuration.

An example SSL intercept explicity proxy     mode configuration

An example SSL intercept explicity proxy mode configuration

The SplitSession Client profile type

The SplitSession Client profile defines the client parameters in an SSL intercept explicit proxy mode configuration. This profile enables you to configure a Peer Port, which specifies the port for the SplitSession peer that is connected to the out-of-band connection, and the Peer IP address, which specifies the IP address for the SplitSession peer that is connected to the out-of-band connection.

The SplitSession Server profile type

The SplitSession Server profile defines the server parameters in an SSL intercept explicit proxy mode configuration. This profile enables you to configure a Listen Port, which specifies the port that the SplitSession server listens on for the out-of-band connection, and the Listen IP address, which specifies the IP address that the SplitSession server listens on for the out-of-band connection.

Task Summary

Complete these tasks to configure an SSL intercept explicit proxy configuration.

Creating a SplitSession Client profile

You can create a SplitSession Client profile to define the client parameters in an SSL intercept explicit proxy mode configuration.
  1. On the Main tab, click Local Traffic > Profiles > Other > SplitSession Client .
    The SplitSession Client profile list screen opens.
  2. Click Create.
    The New SplitSession Client Profile screen opens.
  3. In the Name field, type a unique name for the profile.
  4. From the Parent Profile list, retain the default value or select another existing profile of the same type.
  5. In the Peer Port field, type a value for the the port of the SplitSession peer assigned to the out-of-band connection.
  6. In the Peer IP field, type the IP address of the SplitSession peer assigned to the out-of-band connection.
  7. Click Finished.
A SplitSession Client profile to define the client parameters in an SSL intercept explicit proxy mode configuration is available to assign to a virtual server.

Creating a custom Client SSL profile

You perform this task to create a Client SSL profile that makes it possible for direct client-server authentication while still allowing the BIG-IP system to perform data optimization, such as decryption and encryption. This profile applies to client-side SSL traffic only.

  1. On the Main tab, click Local Traffic > Profiles > SSL > Client .
    The Client SSL profile list screen opens.
  2. Click Create.
    The New Client SSL Profile screen opens.
  3. In the Name field, type a unique name for the profile.
  4. Select clientssl in the Parent Profile list.
  5. For the Proxy SSL setting, select the check box.
  6. From the Configuration list, select Advanced.
  7. Modify other settings, as required.
  8. Click Finished.
The custom Client SSL profile appears in the Client SSL profile list screen.

Creating a pool to process HTTP traffic for an inspection device

You can create a pool that includes an inspection device to process HTTP requests.
  1. On the Main tab, click Local Traffic > Pools .
    The Pool List screen opens.
  2. Click Create.
    The New Pool screen opens.
  3. In the Name field, type a unique name for the pool.
  4. Using the New Members setting, add each resource that you want to include in the pool:
    1. Type an IP address in the Address field.
    2. Type 80 in the Service Port field, or select HTTP from the list.
    3. (Optional) Type a priority number in the Priority field.
    4. Click Add.
  5. Click Finished.
The new pool appears in the Pools list.

Creating an ingress explicit proxy virtual server

Before you configure an ingress explicit proxy virtual server, you need to configure a SplitSession Client profile and pool to assign to the virtual server.
You can configure an ingress explicit proxy virtual server to manage the client split-session half-proxy traffic from a client to the inspection device.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the Create button.
    The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. In the Description field, type a description of the virtual server.
  5. In the Source Address field, type 0.0.0.0/0 for the source address and prefix length.
  6. In the Destination Address field, type an IP address in CIDR format.
    The supported format is address/prefix, where the prefix length is in bits. For example, to select all IP addresses, an IPv4 address/prefix is 0.0.0.0/0, and an IPv6 address/prefix is ::/0. To specify a network, an IPv4 address/prefix is 10.07.0.0 or 10.07.0.0/24, and an IPv6 address/prefix is ffe1::/64 or 2001:ed8:77b5::/64. When you use an IPv4 address without specifying a prefix, the BIG-IP® system automatically uses a /32 prefix.
    Note: For best results, F5® recommends that you enter the subnet that matches your destination server network.
  7. In the Service Port field, type 443 or select HTTPS from the list.
  8. From the HTTP Profile list, select http.
  9. For the SSL Profile (Client) setting, select a client SSL profile.
  10. From the Protocol list, select TCP.
  11. From the SplitSession Client Profile list, select splitsessionclient or a custom SplitSession Client profile.
  12. From the Default Pool list, select the name of the HTTP server pool that you previously created.
  13. Click Finished.
An ingress explicit proxy virtual server is configured to manage the client split-session half-proxy traffic from a client to the inspection device.

Creating a SplitSession Server profile

You can create a SplitSession Server profile to define the server parameters in an SSL intercept explicit proxy mode configuration.
  1. On the Main tab, click Local Traffic > Profiles > Other > SplitSession Server .
    The SplitSession Server profile list screen opens.
  2. Click Create.
    The New SplitSession Server Profile screen opens.
  3. In the Name field, type a unique name for the profile.
  4. From the Parent Profile list, retain the default value or select another existing profile of the same type.
  5. In the Listen Port field, type a value for the the port of the SplitSession server listens on for the out-of-band connection.
  6. In the Listen IP field, type the IP address of the SplitSession server listens on for the out-of-band connection.
  7. Click Finished.
A SplitSession Server profile to define the server parameters in an SSL intercept explicit proxy mode configuration is available to assign to a virtual server.

Creating a custom Server SSL profile

You perform this task to create a Server SSL profile that makes it possible for direct client-server authentication while still allowing the BIG-IP® system to perform data optimization, such as decryption and encryption. This profile applies to server-side SSL traffic only.
Important: The certificate and key that you specify in this profile must match the certificate/key pair that you expect the back-end server to offer. If the back-end server has two or more certificates to offer, you must create a separate Server SSL profile for each certificate and then assign all of the Server SSL profiles to a single virtual server.
  1. On the Main tab, click Local Traffic > Profiles > SSL > Server .
    The Server SSL profile list screen opens.
  2. Click Create.
    The New Server SSL Profile screen opens.
  3. In the Name field, type a unique name for the profile.
  4. Select serverssl in the Parent Profile list.
  5. From the Certificate list, select a relevant certificate name.
  6. From the Key list, select a relevant key name.
  7. For the Proxy SSL setting, select the check box.
  8. From the Configuration list, select Advanced.
  9. Modify other settings, as required.
  10. Choose one of the following actions:
    • If you need to create another Server SSL profile, click Repeat.
    • If you do not need to create another Server SSL profile, click Finished.
All relevant Server SSL profiles now appear on the SSL Server profile list screen.

Creating a pool to manage HTTPS traffic

You can create a pool (a logical set of devices, such as web servers, that you group together to receive and process HTTPS traffic) to efficiently distribute the load on your server resources.
  1. On the Main tab, click Local Traffic > Pools .
    The Pool List screen opens.
  2. Click Create.
    The New Pool screen opens.
  3. In the Name field, type a unique name for the pool.
  4. For the Health Monitors setting, assign https or https_443 by moving it from the Available list to the Active list.
  5. From the Load Balancing Method list, select how the system distributes traffic to members of this pool.
    The default is Round Robin.
  6. For the Priority Group Activation setting, specify how to handle priority groups:
    • Select Disabled to disable priority groups. This is the default option.
    • Select Less than, and in the Available Members field type the minimum number of members that must remain available in each priority group in order for traffic to remain confined to that group.
  7. Use the New Members setting to add each resource that you want to include in the pool:
    1. In the Address field, type an IP address.
    2. In the Service Port field type 443 , or select HTTPS from the list.
    3. (Optional) Type a priority number in the Priority field.
    4. Click Add.
  8. Click Finished.
The HTTPS load balancing pool appears in the Pool List screen.

Creating an egress explicit proxy virtual server

Before you configure an egress explicit proxy virtual server, you need to configure a SplitSession Server profile and pool to assign to the virtual server.
You can configure an egress explicit proxy virtual server to manage the server split-session half-proxy traffic from an inspection device to a server.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the Create button.
    The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. In the Description field, type a description of the virtual server.
  5. In the Source Address field, type 0.0.0.0/0 for the source address and prefix length.
  6. In the Destination Address field, type an IP address in CIDR format.
    The supported format is address/prefix, where the prefix length is in bits. For example, to select all IP addresses, an IPv4 address/prefix is 0.0.0.0/0, and an IPv6 address/prefix is ::/0. To specify a network, an IPv4 address/prefix is 10.07.0.0 or 10.07.0.0/24, and an IPv6 address/prefix is ffe1::/64 or 2001:ed8:77b5::/64. When you use an IPv4 address without specifying a prefix, the BIG-IP® system automatically uses a /32 prefix.
    Note: For best results, F5® recommends that you enter the subnet that matches your destination server network.
  7. In the Service Port field, type 443 or select HTTPS from the list.
  8. For the SSL Profile (Server) setting, select a server SSL profile.
  9. From the Protocol list, select TCP.
  10. From the SplitSession Server Profile list, select splitsessionserver or a custom SplitSession Server profile.
  11. From the Default Pool list, select the name of the HTTP server pool that you previously created.
  12. Click Finished.
An egress explicit proxy virtual server is configured to manage the server split-session half-proxy traffic from an inspection device to a server.