Forum Discussion

Fletcher_Cocquy's avatar
Fletcher_Cocquy
Icon for Nimbostratus rankNimbostratus
Mar 15, 2010

SSL Proxy Juniper SSL VPN

Hi, we are not ready to expose our Juniper SSL VPN externally, so I was asked to test the BigIP's capability (its already exposed externally) to proxy SSL to it.

 

 

I setup the external HTTPS virtual server, and mapped to the pool of one consisting of the Juniper SSL VPN's IP port 443 (note this is different than our normal case where we want to offload the SSL - here we want to pass on the HTTPS)

 

 

Anyway, the Juniper is denying the requests from the BigIP with messages:

 

 

SSL negotiation failed while client at source IP 'xx.yy.104.107' was trying to connect to 'aa.bb.70.132'. Reason: 'http request'"

 

 

which does not make sense to us since the request is coming on port 443 from the BigIP.

 

 

Is there a setting I'm forgetting in the BigIP to make this SSL==>SSL proxy work?

 

 

thanks
dev
devops
iControl

3 Replies

Sort By
  • Fletcher_Cocquy's avatar
    Fletcher_Cocquy
    Icon for Nimbostratus rankNimbostratus
    Mar 16, 2010
    Hi, thanks for the reply

     

     

    when I add our standard SSL redirect iRule:

     

    when HTTP_REQUEST {

     

    HTTP::redirect https://[HTTP::host][HTTP::uri]

     

    }

     

     

    I get an error: "the server is redirecting the request for this address in a way that will never complete"

     

     

    When I try IP or layer 2 forwarding I get the error from the bigIP: node must be directly connected to the BigIP - its not - it routes one hop

     

     

    Puzzling why the Juniper thinks HTTP requests are being made...BigIP should be passing HTTPS only

     

     

    Not sure we will be able to front the Juniper SSL VPN with the BigIP...

     

     

    thanks
  • Ryan77777's avatar
    Ryan77777
    Icon for Altocumulus rankAltocumulus
    Feb 08, 2013
    I'm having similar issues. I'm going to try the layer-2 approach though since it's on the same network. Did you ever get the layer-3 profile working? Would be curious to know what the solution was.
  • Krzysztof_Kozlo's avatar
    Krzysztof_Kozlo
    Icon for Nimbostratus rankNimbostratus
    Feb 12, 2013
    We specifically had issues with the LTM doing SSL termination and re-encryption in front of the Juniper SA-series SSL VPN appliance (formerly known as Neoteris IVE) on version 9.4.8.

     

     

    It would intermittently fail to negotiate as a client of the Juniper. I forgot exactly what we came up with as the root cause, but it was on the Juniper side of the SSL negotiation.