BigIP F5 LTM – SSL Processing


The BigIP F5 provide 2 ways in which SSL is processed. These are :

Client SSL – F5 decrypts the encrypted traffic inbound from the client.
Server SSL – Traffic is re-encrypted by the F5 then routed onto the backend servers.

There are a number of advantages to SSL termination on the F5, which are :

  1. Allows iRules processing and cookie persistence.
  2. SSL Traffic offload from web servers
  3. SSL key exchange and bulk encryption is performed by a single piece of BigIP F5 hardware rather then needing (to install) additional hardware in each webserver.
  4. Centralized certificate management


Client SSL

Configuring Client SSL comprises of 3 steps.

  1. Import or generate the SSL certificate and Key
  2. Configure the client ssl-client profile
  3. Configure the Virtual Server

1a. Certificate (Import)

  1. Goto ‘Local Traffic | SSL Certificates | Import’.
  2. Select Certificate as the Import Type.
  3. Configure the Certificate Name.
  4. Upload the certificate within the certificate source section.
  5. Click Import.

Note : Certificates should be in either Base-64 encoded or PEM format.

1b. Certificate  (Generate)

  1. Go to ‘Local Traffic | SSL Certificates | Create’.
  2. Within the General Properties section enter the name and then complete the Certificate Property fields.
  3. Click finished.

Note : Certificates and keys are synchronized on redundant systems.
Note : The locations for the certificate/keys are:

                  Certificates: /config/ssl/ssl.cert
                  Keys:          /config/ssl/ssl.key

2. Configure Profile

Next you will need to configure the client ssl-client profile.

  1. Goto ‘Local Traffic | Profiles | SSL | Client | Create’
  2. Within the General Properties enter the Name and select the Parent Profile as clientssl.
  3. Within the Configuration section select the Certificate and Key.
  4. Click Finished.

3. Configure the Virtual Server

  1. Within the necessary Virtual Server under SSL Profile (Client) select the previously created profile.

Server SSL

If Server SSL is required then select the serverssl profile from the SSL Profile (Server) dropdown menu from within the Virtual Server.

Rick Donato

Want to become an F5 Loadbalancers expert?

Here is our hand-picked selection of the best courses you can find online:
F5 BIG-IP 101 Certification Exam – Complete Course
F5 BIG-IP 201 Certification Exam – Complete Course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial