Forum Discussion

rpalacios_79340's avatar
rpalacios_79340
Icon for Altostratus rankAltostratus
May 19, 2009

Terminating SSL on F5.

Hello guys,

 

 

I read that you can use the F5 to offload SSL certificate-verification tasks from client and server systems.

 

 

I have a few questions about this configuration;

 

 

 

1. How painful is this process in terms of the configuration changes I would have to apply to the current virtual servers?

 

 

2. Are there any real advantages on moving the security certificates from my web servers to the F5?

 

 

3. Would a client-side profile be enough or would it have to be client-side profile and Server-side profile?

 

 

4. Can I just import or install the same certificates I have on the web servers or does the F5 need to have its own certificate in addition the certificates of the web servers?

 

 

Thanks,

 

 

-Reinhard

 

config
design

6 Replies

Sort By
  • James_Quinby_46's avatar
    James_Quinby_46
    Historic F5 Account
    May 19, 2009
    1. Not painful at all. You'd need a virtual server listening on port 443, and then assign an SSL profile to it which referenced the certificate and key.

     

     

     

    2. SSL is offloaded to hardware on the F5, which means that it's a whole lot faster. Plus, all the certs and keys are in one place which is a lot easier to manage.

     

     

    3. To terminate SSL between the LTM and the browser, you need the serverssl profile. Use the clientssl profile if you want to renegotiate SSL between the LTM and the webserver.

     

     

    4. They can be imported. If your webserver can export a PKCS certficate, this SOL:

     

     

    https://support.f5.com/kb/en-us/solutions/public/2000/300/sol2323a.html

     

     

    ...walks you through the PEM conversion process.

     

     

    Hope this helps,

     

     

    JQ
  • dennypayne's avatar
    dennypayne
    Icon for Employee rankEmployee
    May 19, 2009
    Oh, and regarding point 2, the other advantage is that if you are doing SSL offload, you can then use Layer 7 iRules and cookie persistence and other fun Layer 7 stuff. If you are passing SSL connections through the LTM to the webservers without doing offload, you can't "see" into the encrypted packets and thus you are restricted to Layer 4 iRules and source IP persistence.

     

     

    Denny
  • rpalacios_79340's avatar
    rpalacios_79340
    Icon for Altostratus rankAltostratus
    May 22, 2009
    jquinby and Denny,

     

     

    Thanks for all your replies. I appreciate the feedback on this.

     

     

    It now sounds like something I may need to consider implementing. Key points being centralization and additional persistence options.

     

     

    Thanks.

     

     

    -Ryan
  • vravula_235006's avatar
    vravula_235006
    Icon for Nimbostratus rankNimbostratus
    May 12, 2016

    Hi, For having server-side SSL profile we do need a certificate installed on the web server right?

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    May 12, 2016

    For having server-side SSL profile we do need a certificate installed on the web server right?

     

    It'd be difficult to even enable SSL in any given application without also applying a certificate and corresponding private key. So yes, you do need a certificate (and private key) on the web server.