Manual Chapter : Manipulating HTTPS Traffic by Using a Third-Party Device

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 13.0.1, 13.0.0

BIG-IP APM

  • 13.0.1, 13.0.0

BIG-IP Link Controller

  • 13.0.1, 13.0.0

BIG-IP Analytics

  • 13.0.1, 13.0.0

BIG-IP LTM

  • 13.0.1, 13.0.0

BIG-IP AFM

  • 13.0.1, 13.0.0

BIG-IP PEM

  • 13.0.1, 13.0.0

BIG-IP DNS

  • 13.0.1, 13.0.0

BIG-IP ASM

  • 13.0.1, 13.0.0
Manual Chapter

Overview: Manipulating HTTPS traffic by using a third-party device

You can configure a BIG-IP® device to manage HTTPS traffic by using a third-party device that can intercept and modify the traffic, as necessary. This configuration provides SSL decryption, manipulation, and re-encryption while appearing relatively transparent at layer 2.

When you configure a virtual server to use the Transparent Nexthop control, traffic matching the virtual server is sent to the specified interface and the layer 2 addressing on the ingress packet is preserved. Configuring the Transparent Nexthop to specify the VLAN that is configured with the inspection device eliminates the need to configure a pool, NAT, SNAT, or other load balancing functionality to the inspection device.
Important: Transparent Nexthop functionality requires a license that supports that functionality. If the Transparent Nexthop control does not appear on the New Virtual Server screen, contact your F5® Networks support representative to acquire the necessary license.

The basic process used in this configuration is as follows:

  1. A client sends an HTTPS request to a server by means of the BIG-IP device.
  2. The BIG-IP device intercepts the request, decrypts it, and forwards the request as cleartext to the inspection device.
  3. The inspection device receives and, as necessary, modifies the cleartext request.
  4. The inspection device forwards the cleartext request to the server by means of the BIG-IP device.
  5. The BIG-IP device re-encrypts the cleartext request and sends the ciphertext request to the server.
  6. The server sends a response to the client by means of the BIG-IP device.
  7. The BIG-IP device receives the response, decrypts it, and forwards the response as cleartext to the inspection device.
  8. The inspection device receives and, as necessary, modifies the cleartext response.
  9. The inspection device forwards the cleartext response to the client by means of the BIG-IP device.
  10. The BIG-IP device re-encrypts the cleartext response and sends the ciphertext response to the client.

The following illustration shows an example of a BIG-IP device that manages HTTPS traffic modified by a third-party device.

An example configuration of a BIG-IP device managing HTTPS traffic modified by a third-party device.

Task Summary

Complete these tasks to configure a BIG-IP® device to manage HTTPS traffic by using a third-party device that can intercept and modify the traffic, as necessary.

Creating a VLAN

When you create a VLAN, each of the specified interfaces can process traffic destined for that VLAN. You can create a VLAN for use with an inspection device, as necessary.
  1. On the Main tab, click Network > VLANs .
    The VLAN List screen opens.
  2. Click Create.
    The New VLAN screen opens.
  3. In the Name field, type a unique name for the VLAN.
  4. In the Tag field, type a numeric tag, between 1-4094, for the VLAN, or leave the field blank if you want the BIG-IP system to automatically assign a VLAN tag.
    The VLAN tag identifies the traffic from hosts in the associated VLAN.
  5. For the Interfaces setting:
    1. From the Interface list, select an interface number.
    2. From the Tagging list, select Tagged.
    3. Click Add.
  6. If you want the system to verify that the return route to an initial packet is the same VLAN from which the packet originated, select the Source Check check box.
  7. In the MTU field, retain the default number of bytes (1500).
  8. From the Configuration list, select Advanced.
  9. For the Hardware SYN Cookie setting, select or clear the check box.
    When you enable this setting, the BIG-IP system triggers hardware SYN cookie protection for this VLAN.
    Enabling this setting causes additional settings to appear. These settings appear on specific BIG-IP platforms only.
  10. For the Syncache Threshold setting, retain the default value or change it to suit your needs.
    The Syncache Threshold value represents the number of outstanding SYN flood packets on the VLAN that will trigger the hardware SYN cookie protection feature.

    When the Hardware SYN Cookie setting is enabled, the BIG-IP system triggers SYN cookie protection in either of these cases, whichever occurs first:

    • The number of TCP half-open connections defined in the LTM® setting Global SYN Check Threshold is reached.
    • The number of SYN flood packets defined in this Syncache Threshold setting is reached.
  11. For the SYN Flood Rate Limit setting, retain the default value or change it to suit your needs.
    The SYN Flood Rate Limit value represents the maximum number of SYN flood packets per second received on this VLAN before the BIG-IP system triggers hardware SYN cookie protection for the VLAN.
  12. Click Finished.
    The screen refreshes, and displays the new VLAN in the list.

Creating a custom Client SSL profile

You perform this task to create a Client SSL profile that makes it possible for direct client-server authentication while still allowing the BIG-IP system to perform data optimization, such as decryption and encryption. This profile applies to client-side SSL traffic only.

  1. On the Main tab, click Local Traffic > Profiles > SSL > Client .
    The Client SSL profile list screen opens.
  2. Click Create.
    The New Client SSL Profile screen opens.
  3. In the Name field, type a unique name for the profile.
  4. Select clientssl in the Parent Profile list.
  5. For the Proxy SSL setting, select the check box.
  6. From the Configuration list, select Advanced.
  7. Modify all other settings, as required.
  8. Click Finished.
The custom Client SSL profile appears in the Client SSL profile list screen.

Creating a custom Server SSL profile

You perform this task to create a Server SSL profile that makes it possible for direct client-server authentication while still allowing the BIG-IP® system to perform data optimization, such as decryption and encryption. This profile applies to server-side SSL traffic only.
Important: The certificate and key that you specify in this profile must match the certificate/key pair that you expect the back-end server to offer. If the back-end server has two or more certificates to offer, you must create a separate Server SSL profile for each certificate and then assign all of the Server SSL profiles to a single virtual server.
  1. On the Main tab, click Local Traffic > Profiles > SSL > Server .
    The Server SSL profile list screen opens.
  2. Click Create.
    The New Server SSL Profile screen opens.
  3. In the Name field, type a unique name for the profile.
  4. Select serverssl in the Parent Profile list.
  5. From the Certificate list, select a relevant certificate name.
  6. From the Key list, select a relevant key name.
  7. For the Proxy SSL setting, select the check box.
  8. From the Configuration list, select Advanced.
  9. Modify all other settings, as required.
  10. Choose one of the following actions:
    • If you need to create another Server SSL profile, click Repeat.
    • If you do not need to create another Server SSL profile, click Finished.
All relevant Server SSL profiles now appear on the SSL Server profile list screen.

Creating a VLAN group

Create a VLAN group that includes the internal and external VLANs using transparent mode. Packets received by a VLAN in the VLAN group are copied onto the other VLAN. This allows traffic to pass through the BIG-IP® system on the same IP network.
  1. On the Main tab, click Network > VLANs > VLAN Groups .
    The VLAN Groups list screen opens.
  2. Click Create.
    The New VLAN Group screen opens.
  3. In the Name field, type the name myvlangroup.
  4. For the VLANs setting, from the Available list, select internal and external, and then move them to the Members list.
  5. From the Transparency Mode list, select Transparent.
  6. Click Finished.

Creating a virtual server to manage client-side HTTPS traffic

You can specify a virtual server that manages client-side HTTPS traffic sent to a third-party device to manipulate traffic.
  1. On the Main tab, click Local Traffic > Virtual Servers .
  2. Click Create.
  3. In the Name field, type a name for the virtual server.
  4. From the Type list, select Standard.
  5. In the Destination Address/Mask field, type a destination IP address in CIDR format.
  6. For the Service Port setting, type 443 in the field, or select HTTPS from the list.
  7. From the Protocol Profile (Client) list, select splitsession-default-tcp.
  8. From the Configuration list, select Advanced.
  9. From the HTTP Profile list, select http.
  10. For the SSL Profile (Client) setting, from the Available list, select the name of the Client SSL profile you created previously, and using the Move button, move the name to the Selected list.
  11. From the VLAN and Tunnel Traffic list, select Enablerd on.
  12. For the VLANs and Tunnels setting, move the clientside VLAN to the Selected list.
  13. From the Transparent Nexthop list, select the VLAN that you created for the inspection device.
  14. Click Finished.
The client-side HTTPS virtual server appears in the Virtual Server List screen.

Creating a virtual server to manage server-side traffic

You can specify a virtual server that manages server-side traffic sent from a third-party device to manipulate traffic.
  1. On the Main tab, click Local Traffic > Virtual Servers .
  2. Click Create.
  3. In the Name field, type a name for the virtual server.
  4. From the Type list, select Standard.
  5. In the Destination Address/Mask field, type a destination IP address in CIDR format.
  6. For the Service Port setting, type 80 in the field, or select HTTP from the list.
  7. From the Configuration list, select Advanced.
  8. From the Protocol Profile (Server) list, select splitsession-default-tcp.
  9. From the HTTP Profile list, select http.
  10. For the SSL Profile (Server) setting, from the Available list, the name of the Server SSL profile you created previously, and using the Move button, move the name to the Selected list.
  11. From the VLAN and Tunnel Traffic list, select Enabled on.
  12. For the VLANs and Tunnels setting, move the VLAN that you created for the inspection device to the Selected list.
  13. From the Transparent Nexthop list, select the serverside VLAN.
  14. Click Finished.
The server-side HTTPS virtual server appears in the Virtual Server List screen.