Forum Discussion

5 Replies

Sort By
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Aug 29, 2013

    is it normal ssl offload configuration?

    e.g.

    [root@ve11a:Active:Changes Pending] config  tmsh list ltm virtual bar
ltm virtual bar {
    destination 172.28.20.111:443
    ip-protocol tcp
    mask 255.255.255.255
    pool foo
    profiles {
        clientssl {
            context clientside
        }
        tcp { }
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    vs-index 23
}
[root@ve11a:Active:Changes Pending] config  tmsh list ltm pool foo
ltm pool foo {
    members {
        200.200.200.101:80 {
            address 200.200.200.101
        }
    }
}

[root@ve11a:Active:Changes Pending] config  curl -Ik https://172.28.20.111
HTTP/1.1 200 OK
Date: Thu, 29 Aug 2013 04:28:31 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Thu, 23 May 2013 00:28:46 GMT
ETag: "4185a8-59-c3efab80"
Accept-Ranges: bytes
Content-Length: 89
Content-Type: text/html; charset=UTF-8
    • BeirutJack83_13's avatar
      BeirutJack83_13
      Icon for Nimbostratus rankNimbostratus
      Aug 29, 2013
      ok lets assume on inbound traffic i want to use a gigamon device to send a copy of the ssl traffic to an ltm for ssl offload then send the decrypted cleartext to another inspection device to inspect the cleartext http as port 80 per config above, then can i reverse that process and inspect the outbound server traffic by using gigamon to send a copy of the encrypted server return traffic to the ltm to be decrypted and forwarded to the inspection device to inspect the server return traffic?
  • nitass_89166's avatar
    nitass_89166
    Icon for Noctilucent rankNoctilucent
    Aug 29, 2013

    is it normal ssl offload configuration?

    e.g.

    [root@ve11a:Active:Changes Pending] config  tmsh list ltm virtual bar
ltm virtual bar {
    destination 172.28.20.111:443
    ip-protocol tcp
    mask 255.255.255.255
    pool foo
    profiles {
        clientssl {
            context clientside
        }
        tcp { }
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    vs-index 23
}
[root@ve11a:Active:Changes Pending] config  tmsh list ltm pool foo
ltm pool foo {
    members {
        200.200.200.101:80 {
            address 200.200.200.101
        }
    }
}

[root@ve11a:Active:Changes Pending] config  curl -Ik https://172.28.20.111
HTTP/1.1 200 OK
Date: Thu, 29 Aug 2013 04:28:31 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Thu, 23 May 2013 00:28:46 GMT
ETag: "4185a8-59-c3efab80"
Accept-Ranges: bytes
Content-Length: 89
Content-Type: text/html; charset=UTF-8
    • BeirutJack83_13's avatar
      BeirutJack83_13
      Icon for Nimbostratus rankNimbostratus
      Aug 29, 2013
      ok lets assume on inbound traffic i want to use a gigamon device to send a copy of the ssl traffic to an ltm for ssl offload then send the decrypted cleartext to another inspection device to inspect the cleartext http as port 80 per config above, then can i reverse that process and inspect the outbound server traffic by using gigamon to send a copy of the encrypted server return traffic to the ltm to be decrypted and forwarded to the inspection device to inspect the server return traffic?
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Aug 29, 2013

    ok lets assume on inbound traffic i want to use a gigamon device to send a copy of the ssl traffic to an ltm for ssl offload then send the decrypted cleartext to another inspection device to inspect the cleartext http as port 80 per config above, then can i reverse that process and inspect the outbound server traffic by using gigamon to send a copy of the encrypted server return traffic to the ltm to be decrypted and forwarded to the inspection device to inspect the server return traffic?

     

    can you do something like this instead?

     

    Divert Unencrypted Traffic through an IPS with Local Traffic Manager by Jason Rahm

     

    https://devcentral.f5.com/articles/divert-unencrypted-traffic-through-an-ips-with-local-traffic-manager