This is an important topic that you really should understand prior to deploying applications.  Also knowing what templates comes in handy when choosing persistence and knowing who owns certs and keys etc…

So without further delay….

ssl_offload_app

Client side connection is encrypted.  Server side connection is unencrypted

In this method the client traffic to BIG-IP is sent as encrypted. Instead of the server decrypting and re-encrypting the traffic BIG-IP would handle that part. So the client traffic is decrypted by the BIG-IP and the decrypted traffic is sent to the server. The return communication from the server to client is encrypted by the BIG-IP and sent back to the client. Thus sparing the server additional load of encryption and decryption. All the server resources can now be fully utilized to serve the application content or any other purpose they are built to do.

NOTE: The communication between the server BIG-IP and server is in clear txt.  Servers are setup to listen on unsecure ports ex Port 80.  Since the BIG-IP decrypts the HTTP traffic it has now the ability to read the content (header, txt, cookies etc.) and all the persistence options can be applied. (Source address, Destination address, Cookies, SSL, SIP, Universal, MSRDP)

ssl_bridge_app

Client side connection is encrypted.  Server side connection is encrypted.

In this method the BIG-IP will re-encrypt the traffic before sending it to the servers.

Client sends encrypted traffic to BIG-IP , BIG-IP then decrypts it and before send it to the servers or pool members re-encrypts it again.

This method is generally used to satisfy the requirement of traffic to be encrypted between the LTM and Servers as well. This requirement might be put in place for additional security or prevent intrusion from within the network. When this method is used the servers will also have to decrypt and encrypt the traffic.

NOTE: The communication between the server LTM and server is secure. Servers are setup to listen on secure ports ex Port 443. Since the LTM initially decrypts the HTTP traffic it still has the ability to read the content (header, txt, cookies etc.) and all the persistence options can be applied same as SSL Offloading. (Source address, Destination address, Cookies, SSL, SIP, Universal, MSRDP)

ssl_passthrough_app

As the name suggests the BIG-IP will just pass the traffic from client to servers absolving itself from any SSL related workload. Instead of forwarding SSL handshakes and connections to the servers directly it will just pass the client traffic to the servers. Usually this setup is used if the applications being served are anti SSL proxy or cannot consume decrypted traffic.  

NOTE: Since it’s just pass through LTM cannot read the headers which introduces limitations on persistence. Only non SSL information in the packet can be used to maintain persistence like source ip address, destination ip address.

http_app

Client side connection is unencrypted. Server side connection is unencrypted

This site uses Akismet to reduce spam. Learn how your comment data is processed.