F5 BIG-IP: Local Traffic Manager (LTM) Training

SSL Processing

www.routehub.net

Michel Thomatis, CCIE #6778

Chief Network Architect and Lead Trainer
SSL Termination
• Client builds SSL tunnel (HTTPS) to BIG-IP
• BIG-IP can use HTTP with the servers without any encryption.

• Advantages:
• Offload SSL processing from web servers
• Encryption and Decryption done in BIG-IP hardware.
• Requires only one certificate to be installed on the BIG-IP
Use Case for SSL Termination
• Requirements:
• Client to stay connected to same server in pool
• Setting up Persistence using HTTP cookie

• Problems:
• HTTP cookie resides in the application data which is encrypted in a HTTPS/SSL
session

• Solution:
• Implement SSL termination and then enable Persistence using HTTP cookie
Steps for Implementation
• Certificate:
• Self-Signed (development use)
• Public Certificate from Trusted Certificate Authority (production use)

• Keys:
• Private Key: responsible for decrypting data
• Public Key: responsible for encrypting data

• Other Steps:
• SSL Client Profile
• Profile associated to Virtual Server
Hardware Considerations for SSL TPS
• Check hardware for max Transactions per second (TPS) for SSL
processing
Server-Side Security
• To provide encryption with servers in a server pool (pool member)
• Increase workload on BIG-IP