Applies To:
Show VersionsBIG-IP AAM
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
BIG-IP APM
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
BIG-IP Link Controller
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
BIG-IP Analytics
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
BIG-IP LTM
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
BIG-IP AFM
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
BIG-IP PEM
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
BIG-IP DNS
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
BIG-IP ASM
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
Overview: Manipulating HTTPS traffic by using a third-party device
You can configure a BIG-IP® device to manage HTTPS traffic by using a third-party device that can intercept and modify the traffic, as necessary. This configuration provides SSL decryption, manipulation, and re-encryption while appearing relatively transparent at layer 2.
The basic process used in this configuration is as follows:
- A client sends an HTTPS request to a server by means of the BIG-IP device.
- The BIG-IP device intercepts the request, decrypts it, and forwards the request as cleartext to the inspection device.
- The inspection device receives and, as necessary, modifies the cleartext request.
- The inspection device forwards the cleartext request to the server by means of the BIG-IP device.
- The BIG-IP device re-encrypts the cleartext request and sends the ciphertext request to the server.
- The server sends a response to the client by means of the BIG-IP device.
- The BIG-IP device receives the response, decrypts it, and forwards the response as cleartext to the inspection device.
- The inspection device receives and, as necessary, modifies the cleartext response.
- The inspection device forwards the cleartext response to the client by means of the BIG-IP device.
- The BIG-IP device re-encrypts the cleartext response and sends the ciphertext response to the client.
The following illustration shows an example of a BIG-IP device that manages HTTPS traffic modified by a third-party device.
An example configuration of a BIG-IP device managing HTTPS traffic modified by a third-party device.
Task Summary
Complete these tasks to configure a BIG-IP® device to manage HTTPS traffic by using a third-party device that can intercept and modify the traffic, as necessary.
Creating a VLAN
Creating a custom Client SSL profile
You perform this task to create a Client SSL profile that makes it possible for direct client-server authentication while still allowing the BIG-IP system to perform data optimization, such as decryption and encryption. This profile applies to client-side SSL traffic only.
Creating a custom Server SSL profile
Creating a VLAN group
Creating a virtual server to manage client-side HTTPS traffic
- On the Main tab, click .
- Click Create.
- In the Name field, type a name for the virtual server.
- From the Type list, select Standard.
- In the Destination Address/Mask field, type a destination IP address in CIDR format.
- For the Service Port setting, type 443 in the field, or select HTTPS from the list.
- From the Protocol Profile (Client) list, select splitsession-default-tcp.
- From the Configuration list, select Advanced.
- From the HTTP Profile list, select http.
- For the SSL Profile (Client) setting, from the Available list, select the name of the Client SSL profile you created previously, and using the Move button, move the name to the Selected list.
- From the VLAN and Tunnel Traffic list, select Enablerd on.
- For the VLANs and Tunnels setting, move the clientside VLAN to the Selected list.
- From the Transparent Nexthop list, select the VLAN that you created for the inspection device.
- Click Finished.
Creating a virtual server to manage server-side traffic
- On the Main tab, click .
- Click Create.
- In the Name field, type a name for the virtual server.
- From the Type list, select Standard.
- In the Destination Address/Mask field, type a destination IP address in CIDR format.
- For the Service Port setting, type 80 in the field, or select HTTP from the list.
- From the Configuration list, select Advanced.
- From the Protocol Profile (Server) list, select splitsession-default-tcp.
- From the HTTP Profile list, select http.
- For the SSL Profile (Server) setting, from the Available list, the name of the Server SSL profile you created previously, and using the Move button, move the name to the Selected list.
- From the VLAN and Tunnel Traffic list, select Enabled on.
- For the VLANs and Tunnels setting, move the VLAN that you created for the inspection device to the Selected list.
- From the Transparent Nexthop list, select the serverside VLAN.
- Click Finished.