How to make F5 act as proxy for forwarding traffic to external website

Cirrocumulus

Jan 18, 2018

It is possible, but has problems.

To be able to change from TLS1.2 to TLS1.1, you need to terminate and initiate the SSL connection to the external server.

That causes 2 problems:

1 - Your server will see a different certificate, as you don't have the external server private key, so you need to create or use another one.

2 - The F5 connection to the external server will not validate the external certificate, by default. You can import that the CA certificates, and setup that.

So, basically, create a standard virtual server with the external server IP as a destination, and source as the internal server IP or network. Also, create a pool with the external server IP, and link to the virtual server. Configure and link to the virtual server, the clientssl and serverssl profiles.

That is with LTM.

However, if you go to SWG, that is simpler:

https://f5.com/products/big-ip/secure-web-gateway-services-swgs

In that case you can setup SWG as an explicit proxy, and the request will be sent to the proxy. If should then be able to negotiate the correct TLS protocol version with the external server.

Forum Discussion

How to make F5 act as proxy for forwarding traffic to external website

Recent Discussions

Hi All, We have viprion 4300 with 4450 blades with 6 blades all blades having same configuration

Can iRule be used to perform exception of IPI category based on Geolocation

BWC iRule

Citrix XenServer Big-IP Upgrade help

iRule condition - request contains more than 10000 parameters

Related Content

SMTP Traffic Forward to M365 on Port 587

How to Forward traffic via F5

CSV to Address External Datagroup File

iRule to Forward Traffic Based on URL Name

fellow traffic