Applies To:

Show Versions Show Versions

Manual Chapter: Implementing Proxy SSL on a Single BIG-IP System
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Overview: Direct client-server authentication with application optimization

When setting up the BIG-IP system to process application data, you might want the destination server to authenticate the client system directly, for security reasons, instead of relying on the BIG-IP system to perform this function. Retaining direct client-server authentication provides full transparency between the client and server systems, and grants the server final authority to allow or deny client access.

The feature that enables this direct client-server authentication is known as Proxy SSL. You enable this feature when you configure the Client SSL and Server SSL profiles.
Note: To use this feature, you must configure both a Client SSL and a Server SSL profile.

Without the Proxy SSL feature enabled, the BIG-IP system establishes separate client-side and server-side SSL connections and then manages the initial authentication of both the client and server systems.

With the Proxy SSL feature, the BIG-IP system enables direct client-server authentication by establishing a secure SSL tunnel between the client and server systems and then forwarding the SSL handshake messages from the client to the server and vice versa. After the client and server successfully authenticate each other, the BIG-IP system uses the tunnel to decrypt the application data and intelligently manipulate (optimize) the data as needed.

Task summary

To implement direct client-to-server SSL authentication, as well as application data manipulation, you perform a few basic configuration tasks. Note that you must create both a Client SSL and a Server SSL profile, and enable the Proxy SSL feature in both profiles.

Before you begin, verify that the client system, server system, and BIG-IP system contain the appropriate SSL certificates for mutual authentication.
Important: The BIG-IP certificate and key referenced in a Server SSL profile must match those of the server system.

Task list

Creating a custom Client SSL profile

You perform this task to create a Client SSL profile that enables direct client-server authentication while still allowing the BIG-IP system to perform data optimization, such as decryption and encryption. This profile applies to client-side SSL traffic only.

  1. On the Main tab, click Local Traffic > Profiles > SSL > Client. The Client profile list screen opens.
  2. Click Create. The New Client SSL Profile screen opens.
  3. In the Name field, type a name for the profile. Names must begin with a letter, and can contain only letters, numbers, and the underscore (_) character.
  4. Select clientssl in the Parent Profile list.
  5. From the Certificate list, select the relevant certificate name.
  6. From the Key list, select the relevant key name.
  7. For the Proxy SSL setting, select the check box.
  8. From the Configuration list, select Advanced. This selection allows you to modify additional default settings.
  9. Modify all other settings, as required.
  10. Click Finished.
The custom Client SSL profile now appears in the Client SSL profile list screen.

Creating a custom Server SSL profile

You perform this task to create a Server SSL profile that enables direct client-server authentication while still allowing the BIG-IP system to perform data optimization, such as decryption and encryption. This profile applies to server-side SSL traffic only.
Important: The certificate and key that you specify in this profile must match the certificate/key pair that you expect the back-end server to offer. If the back-end server has two or more certificates to offer, you must create a separate Server SSL profile for each certificate and then assign all of the Server SSL profiles to a single virtual server.
  1. On the Main tab, click Local Traffic > Profiles > SSL > Server. The SSL Server profile list screen opens.
  2. Click Create. The New Server SSL Profile screen opens.
  3. In the Name field, type a name for the profile. Names must begin with a letter, and can contain only letters, numbers, and the underscore (_) character.
  4. Select serverssl in the Parent Profile list.
  5. From the Certificate list, select a relevant certificate name.
  6. From the Key list, select a relevant key name.
  7. For the Proxy SSL setting, select the check box.
  8. From the Configuration list, select Advanced. This selection allows you to modify additional default settings.
  9. Modify all other settings, as required.
  10. Choose one of the following actions:
    • If you need to create another Server SSL profile, click Repeat.
    • If you do not need to create another Server SSL profile, click Finished.
All relevant Server SSL profiles now appear on the SSL Server profile list screen.

Creating a load balancing pool

You can a create load balancing pool (a logical set of devices, such as web servers, that you group together to receive and process traffic) to efficiently distribute the load on your server resources.
  1. On the Main tab, click Local Traffic > Pools. The Pool List screen opens.
  2. Click Create. The New Pool screen opens.
  3. In the Name field, type a unique name for the pool.
  4. For the Health Monitors setting, in the Available list, select a monitor type, and click << to move the monitor to the Active list.
    Tip: Hold the Shift or Ctrl key to select more than one monitor at a time.
  5. From the Load Balancing Method list, select how the system distributes traffic to members of this pool. The default is Round Robin.
  6. For the Priority Group Activation setting, select the way to handle priority groups:
    • Retain the default option, Disabled to disable priority groups.
    • Select Less than, and type the minimum number of members in the Available Members field that must remain available in each priority group in order for traffic to remain confined to that group.
  7. Using the New Members setting, add each resource that you want to include in the pool:
    1. Either type an IP address in the Address field, or select a node address from the Node List.
    2. Type a port number in the Service Port field, or select a service name from the list.
    3. To specify a priority group, type a priority number in the Priority field.
    4. Click Add.
  8. Click Finished.
The load balancing pool appears in the Pools list.

Creating a virtual server for client-side and server-side SSL traffic

You can specify a virtual server to be either a host virtual server or a network virtual server to manage application traffic.
  1. On the Main tab, click Local Traffic > Virtual Servers. The Virtual Server List screen displays a list of existing virtual servers.
  2. Click the Create button. The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. For the Destination setting, in the Address field, type the IP address you want to use for the virtual server. The IP address you type must be available and not in the loopback network.
  5. Type a port number in the Service Port field, or select a service name from the Service Port list.
  6. For the SSL Profile (Client) setting, in the Available list, select the name of the Client SSL profile you previously created, and using the Move button, move the name to the Selected list.
  7. For the SSL Profile (Server) setting, in the Available list, select the applicable Server SSL profile names, and using the Move button, move the names to the Selected list.
  8. Assign other profiles to the virtual server if applicable.
  9. From the Default Pool list, select the name of the pool that you created previously.
  10. Click Finished.
The virtual server now appears in the Virtual Server List screen.

Implementation result

After you complete the tasks in this implementation, the BIG-IP system ensures that the client system and server system can initially authenticate each other directly. After client-server authentication, the BIG-IP system can intelligently decrypt and manipulate the application data according to the configuration settings in the profiles assigned to the virtual server.

Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)