SSL Traffic and SSL Profiles

BIG-IP® Local Traffic ManagerTM offers several features that you can use to intelligently control your SSL traffic. Some of the SSL traffic-management features are:

  • The ability to authenticate clients and servers to maintain secure connections between a client system and the BIG-IP system, and between the BIG-IP system and a target web server
  • The ability to offload SSL certificate-verification tasks from client and server systems

The primary way that you can control SSL network traffic is by configuring a Client or Server SSL profile:

  • A Client profile is a type of traffic profile that enables Local Traffic Manager to accept and terminate any client requests that are sent by way of a fully SSL-encapsulated protocol. Local Traffic Manager supports SSL for both TCP and UDP protocols.
  • A Server profile is a type of profile that enables Local Traffic Manager to initiate secure connections to a target web server.

Managing SSL traffic requires you to complete these tasks:

  • Install a key/certificate pair on the BIG-IP system for terminating client-side secure connections.
  • Configure a profile, and then associate that profile with a virtual server. You configure a profile using the Configuration utility. Associate the profile with a virtual server.

Client-side and server-side traffic

With Local Traffic Manager, you can enable SSL traffic management for either client-side traffic or server-side traffic. Client-side traffic refers to connections between a client system and the BIG-IP system. Server-side traffic refers to connections between the BIG-IP system and a target server system:

  • Managing client-side SSL traffic – When you enable the BIG-IP system to manage client-side SSL traffic, Local Traffic Manager terminates incoming SSL connections by decrypting the client request. Local Traffic Manager then sends the request, in clear text, to a target server. Next, Local Traffic Manager retrieves a clear-text response (such as a web page) and encrypts the request, before sending the web page back to the client. During the process of terminating an SSL connection, Local Traffic Manager can, as an option, perform all of the SSL certificate verification functions normally handled by the target web server.
  • Managing server-side SSL traffic – When you enable Local Traffic Manager to manage server-side SSL traffic, Local Traffic Manager enhances the security of your network by re-encrypting a decrypted request before sending it on to a target server. In addition to this re-encryption, Local Traffic Manager can, as an option, perform the same verification functions for server certificates that Local Traffic Manager can for client certificates.

Certificate revocation

Local Traffic Manager can check to see if a certificate being presented by a client or server has been revoked. A revoked client certificate indicates to the BIG-IP system that the system should fail to authenticate the client. The BIG-IP system supports two industry-standard methods for checking the revocation status of a certificate. These two methods are:

  • Certificate revocation lists (CRLs) – CRLs are a method that the BIG-IP system can use to check on whether a certificate being presented to the BIG-IP system has been revoked. This CRL support is in the form of a CRL file and a CRL path. The BIG-IP system enables you to configure one CRL file and path for the client-side profile, and one CRL file and path for the server-side profile. You configure the use of CRLs through an SSL profile. For more information, see Client and server authentication.
  • Online Certificate Status Protocol (OCSP) – Unlike the use of CRLs, OCSP ensures that the revocation status of a certificate is always up-to-date. You configure OCSP through an Authentication profile