mailing list archives
RE: Understanding Firewall and SSL Accelerator
From: "Paul Melson" <pmelson () gmail com>
Date: Mon, 20 Feb 2006 17:25:14 -0500
Subject: [fw-wiz] Understanding Firewall and SSL Accelerator
I am new to this list and I am trying to understand a typical scenario In
this scenario, F5
BigIP is used along with the hardware firewall to offload SSL traffic
from webservers. Now,
my confusion is,
1. Who identifies if the incoming traffic is HTTP or HTTPS ? Hardware
firewall or the BigIP ?
In most scenarios, you would identify the traffic by destination port
(HTTP=80, HTTPS=443). I would recommend handing this with the firewall
using port redirection.
One possible reason not to do it my way is that you're also using the BigIP
to provide load balancing for HTTP across multiple web servers. Then you
could just have the firewall perform static NAT for the BigIP and let it see
both HTTP and HTTPS traffic before sending it on to the web servers.
2. Firewall forwards the HTTPS request to BigIP ? How does it know
which IP it needs to forward as the same IP will be used for both HTTP
and HTTPS .. ?
If you use port redirection, the firewall policy will specify that a packet
with a destination address:port of 220.127.116.11:80 will go to 18.104.22.168:80 and a
destination of 22.214.171.124:443 will go to 126.96.36.199:443, for example.
3. How does BigIP forwards the request to firewall ?
I don't quite understand this question. The BigIP shouldn't initiate web
sessions to or through the firewall. The order of connections should be:
client -SSL-> firewall -SSL-> BigIP -HTTP-> [optional 2nd firewall] -HTTP->
4. How does webserver sends back the response tp BigIP for encryption ?
It doesn't. What happens is that the client establishes an SSL connection
with the BigIP. The BigIP then proxies the web requests back to the web
server as a normal HTTP request. The web server only "sees" the HTTP
connection from the BigIP. It has no information about an HTTPS request
from the client.
5. How does BigIP knows which client to return back the request ?
Because this all happens in the context of an established TCP connection.
Even if the firewall somehow obscured the client address from the BigIP,
this would still work.
firewall-wizards mailing list
firewall-wizards () honor icsalabs com