Decryption of traffic on F5

You have to configure SSL client profile in the virtual server that you want to perform SSL offloading. If you want to encrypt (SSL onloading) from F5 to the servers, you hace to add SSL server profile.

Hi,

 

I recommend reading this response as it will give you some context: https://devcentral.f5.com/s/feed/0D51T00006i7cquSAA

 

For what you describe, you're currently doing SSL tunneling, which means the F5 is NOT decrypting the traffic but sending it as it is to the backend.

 

To decrypt the traffic on the F5, you need to create a ClientSSL profile and attach it to the correspondent virtual server. Then you have to decide whether you're going to re-encrypt the traffic or not before sending to the backend. If so, you'll also need a ServerSSL profile on the same virtual server, if you plan to send the traffic unencrypted from the F5 to the backend, then you only need the ClientSSL profile.

 

You'll find the information you need here:

 

https://support.f5.com/csp/article/K14783

 

https://support.f5.com/csp/article/K14806

 

Hey Immu,

you have to do the following:

• add your certificates

• System -> SSL Certificates

• create an SSL client profile

• Local Traffic -> Profiles -> SSL -> Client

• here is important to add the certificate key chain (certificate, private key, CA)

• add the SSL profile to your Virtual host

• Local Trafic -> Virtual Servers -> -> Properties -> SSL Profile (Client)

After those steps you can remove the certificate from the backend server and the traffic will be decrypted after your Big-IP.