Manual Chapter : Implementing SSL Forward Proxy on a Single BIG-IP System

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1

BIG-IP APM

  • 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1

BIG-IP Analytics

  • 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1

BIG-IP Link Controller

  • 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1

BIG-IP LTM

  • 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1

BIG-IP AFM

  • 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1

BIG-IP PEM

  • 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1

BIG-IP DNS

  • 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1

BIG-IP ASM

  • 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1
Manual Chapter

Implementing SSL Forward Proxy on a Single BIG-IP System

Overview: SSL forward proxy client and server authentication

With the BIG-IP® system's SSL forward proxy functionality, you can encrypt all traffic between a client and the BIG-IP system, by using one certificate, and to encrypt all traffic between the BIG-IP system and the server, by using a different certificate.

A client establishes a three-way handshake and SSL connection with the wildcard IP address of the BIG-IP system virtual server. The BIG-IP system then establishes a three-way handshake and SSL connection with the server, and receives and validates a server certificate (while maintaining the separate connection with the client). The BIG-IP system uses the server certificate to create a second unique server certificate to send to the client. The client receives the second server certificate from the BIG-IP system, but recognizes the certificate as originating directly from the server.

Important: To enable SSL forward proxy functionality, you can either:
  • Disassociate existing Client SSL and Server SSL profiles from a virtual server and configure the SSL Forward Proxy settings.
  • Create new Client SSL and Server SSL profiles and configure the SSL Forward Proxy settings.
Then with either option, select the Client SSL and Server SSL profiles on a virtual server. You cannot modify existing Client SSL and Server SSL profiles while they are selected on a virtual server to enable SSL forward proxy functionality.
A virtual server configured with Client and Server SSL profiles for SSL forward proxy     functionality

A virtual server configured with Client and Server SSL profiles for SSL forward proxy functionality

  1. Client establishes three-way handshake and SSL connection with wildcard IP address.
  2. BIG-IP system establishes three-way handshake and SSL connection with server.
  3. BIG-IP system validates a server certificate (Certificate A), while maintaining the separate connection with the client.
  4. BIG-IP system creates different server certificate (Certificate B) and sends it to client.

Task summary

To implement SSL forward proxy client-to-server authentication, as well as application data manipulation, you perform a few basic configuration tasks. Note that you must create both a Client SSL and a Server SSL profile, and enable the SSL Forward Proxy feature in both profiles.

Task list

Creating a custom Client SSL forward proxy profile

You perform this task to create a Client SSL forward proxy profile that makes it possible for client and server authentication while still allowing the BIG-IP® system to perform data optimization, such as decryption and encryption. This profile applies to client-side SSL forward proxy traffic only.

  1. On the Main tab, click Local Traffic > Profiles > SSL > Client .
    The Client profile list screen opens.
  2. Click Create.
    The New Client SSL Profile screen opens.
  3. In the Name field, type a unique name for the profile.
  4. From the Parent Profile list, select clientssl.
  5. From the SSL Forward Proxy list, select Advanced.
  6. Select the Custom check box for the SSL Forward Proxy area.
  7. Modify the SSL Forward Proxy settings.
    1. From the SSL Forward Proxy list, select Enabled.
    2. From the CA Certificate list, select a certificate.
      Important: If the BIG-IP system is part of a DSC Sync-Failover group, always select a non-default certificate name, and ensure that this same certificate name is specified in every instance of this SSL profile in the device group. Taking these actions helps to ensure that SSL handshakes are successful after a failover event.
    3. From the CA Key list, select a key.
      Important: If the BIG-IP system is part of a DSC Sync-Failover group, always select a non-default key name, and ensure that this same key name is specified in every instance of this SSL profile in the device group. Taking these actions helps to ensure that SSL handshakes are successful after a failover event.
    4. In the CA Passphrase field, type a passphrase.
    5. In the Confirm CA Passphrase field, type the passphrase again.
    6. In the Certificate Lifespan field, type a lifespan for the SSL forward proxy certificate in days.
    7. Optional: From the Certificate Extensions list, select Extensions List.
    8. Optional: For the Certificate Extensions List setting, select the extensions that you want in the Available extensions field, and move them to the Enabled Extensions field using the Enable button.
    9. Select the Cache Certificate by Addr-Port check box if you want to cache certificates by IP address and port number.
    10. From the SSL Forward Proxy Bypass list, select Enabled.
      Additional settings display.
    11. From the Bypass Default Action list, select Intercept or Bypass.
      The default action applies to addresses and hostnames that do not match any entry specified in the lists that you specify. The system matches traffic first against destination IP address lists, then source IP address lists, and lastly, hostname lists. Within these, the default action also specifies whether to search the intercept list or the bypass list first.
      Note: If you select Bypass and do not specify any additional settings, you introduce a security risk to your system.
  8. Click Finished.
The custom Client SSL forward proxy profile now appears in the Client SSL profile list screen.

Creating a custom Server SSL forward proxy profile

You perform this task to create a Server SSL forward proxy profile that makes it possible for client and server authentication while still allowing the BIG-IP® system to perform data optimization, such as decryption and encryption. This profile applies to server-side SSL forward proxy traffic only.
  1. On the Main tab, click Local Traffic > Profiles > SSL > Server .
    The SSL Server profile list screen opens.
  2. Click Create.
    The New Server SSL Profile screen opens.
  3. In the Name field, type a unique name for the profile.
  4. From the Parent Profile list select serverssl.
  5. Select the Custom check box for the Configuration area.
  6. From the SSL Forward Proxy list, select Enabled.
  7. Click Finished.
The custom Server SSL forward proxy profile now appears in the Server SSL profile list screen.

Creating a load balancing pool

You can create a load balancing pool (a logical set of devices such as web servers that you group together to receive and process traffic) to efficiently distribute the load on your server resources.
Note: You must create the pool before you create the corresponding virtual server.
  1. On the Main tab, click Local Traffic > Pools .
    The Pool List screen opens.
  2. Click Create.
    The New Pool screen opens.
  3. In the Name field, type a unique name for the pool.
  4. For the Health Monitors setting, in the Available list, select a monitor type, and click << to move the monitor to the Active list.
    Tip: Hold the Shift or Ctrl key to select more than one monitor at a time.
  5. From the Load Balancing Method list, select how the system distributes traffic to members of this pool.
    The default is Round Robin.
  6. For the Priority Group Activation setting, specify how to handle priority groups:
    • Select Disabled to disable priority groups. This is the default option.
    • Select Less than, and in the Available Members field type the minimum number of members that must remain available in each priority group in order for traffic to remain confined to that group.
  7. Using the New Members setting, add each resource that you want to include in the pool:
    1. (Optional) In the Node Name field, type a name for the node portion of the pool member.
    2. In the Address field, type an IP address.
    3. In the Service Port field, type a port number, or select a service name from the list.
    4. (Optional) In the Priority field, type a priority number.
    5. Click Add.
  8. Click Finished.
The load balancing pool appears in the Pools list.

Creating a virtual server for client-side and server-side SSL traffic

You can specify a virtual server to be either a host virtual server or a network virtual server to manage application traffic.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the Create button.
    The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. For a network, in the Destination Address field, type an IPv4 or IPv6 address in CIDR format to allow all traffic to be translated.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is 0.0.0.0/0, and an IPv6 address/prefix is ::/0.
  5. In the Service Port field, type a port number or select a service name from the Service Port list.
  6. For the SSL Profile (Client) setting, from the Available list, select the name of the Client SSL forward proxy profile you previously created, and using the Move button, move the name to the Selected list.
    Important: To enable SSL forward proxy functionality, you can either:
    • Disassociate existing Client SSL and Server SSL profiles from a virtual server and configure the SSL Forward Proxy settings.
    • Create new Client SSL and Server SSL profiles and configure the SSL Forward Proxy settings.
    Then with either option, select the Client SSL and Server SSL profiles on a virtual server. You cannot modify existing Client SSL and Server SSL profiles while they are selected on a virtual server to enable SSL forward proxy functionality.
  7. For the SSL Profile (Server) setting, from the Available list, select the name of the Server SSL forward proxy profile you previously created, and using the Move button, move the name to the Selected list.
    Important: To enable SSL forward proxy functionality, you can either:
    • Disassociate existing Client SSL and Server SSL profiles from a virtual server and configure the SSL Forward Proxy settings.
    • Create new Client SSL and Server SSL profiles and configure the SSL Forward Proxy settings.
    Then with either option, select the Client SSL and Server SSL profiles on a virtual server. You cannot modify existing Client SSL and Server SSL profiles while they are selected on a virtual server to enable SSL forward proxy functionality.
  8. Assign other profiles to the virtual server if applicable.
  9. In the Resources area, from the Default Pool list, select the name of the pool that you created previously.
  10. Click Finished.
The virtual server now appears in the Virtual Server List screen.

Implementation result

After you complete the tasks in this implementation, the BIG-IP® system ensures that the client system and server system can authenticate each other independently. After client and server authentication, the BIG-IP system can intelligently decrypt and manipulate the application data according to the configuration settings in the profiles assigned to the virtual server.