Forum Discussion
Kai_Wilke
Jan 26, 2018MVP
Hi dcampbell79,
basically you have different options to handle SSL traffic...
SSL Termination = Client -> Client Side SSL -> F5 (is able to inspect SSL) -> Server Side SSL -> Server)
SSL Offload = Client -> Client Side SSL -> F5 (is able to inspect SSL) -> Server Side HTTP -> Server)
TCP Forward = Client -> Client Side SSL -> F5 (is not able to inspect SSL) -> Client Side SSL -> Server)
SSL Proxy = Client -> Client Side SSL -> F5 (is able to inspect SSL) -> Client Side SSL -> Server)
So configuring the SSL Proxy on your F5 would allow you to inspect the SSL Session and also Redirect the client without terminating and reestablishing the SSL session between your clients and netscalers (e.g. required for SSL certificate authentification).
https://support.f5.com/csp/article/K13385
Note: But keep in mind, that this mode does not work with modern DHE or ECDHE cipher suites...
Cheers, Kai