F5 BIG IP: Example Configuration as Reverse Proxy in IGEL UMS with SSL Offloading

In this article. you can find an example configuration of F5 BIG IP for SSL Offloading in the IGEL Universal Management Suite (UMS).

General compatibility is tested with the configurations described in this article. There could be different ways to do the configuration.
As the reverse proxy is an external software we cannot provide full support for each version. 

Requirements

Requirements for UMS and certificate configuration for reverse proxy are summarized in Configure the UMS to Integrate Reverse Proxy with SSL Offloading.

Process Overview

The configuration tasks of F5 BIG IP are:

• UMS / ICG configuration and certificate export as described in Configure the UMS to Integrate Reverse Proxy with SSL Offloading
• UMS certificate management (Web UMS and EST CA)
• UMS backend node and pool configuration
• iRule configuration for client certificate forwarding
• SSL client profile configuration
• SSL server profile configuration
• Virtual server configuration

Certificate Management

The certificates created in Configure the UMS to Integrate Reverse Proxy with SSL Offloading must be added in the F5 BIG IP application. BIG IP offers a common Certificate Management.

To configure the UMS Web Certificates / Keys:

1. Add UMS Web Private Key.
   
   
   
2. Add UMS Web Certificate.
   
   
   
3. Add UMS Web Certificate Chain.
   
   
   
4. Add UMS EST CA Certificate
   
   
   
5. Verify that you have all the imported certificates.
   

Backend Node and Pool Configuration

The UMS Server must be configured as backend server.

1. Add a Monitor and configure it for testing if the UMS info URL is online.
   The following properties must be set:

   Type	HTTPS
   Send String	GET /info\r\n
   Receive String	IGEL Universal Management Suite

   
   
   

2. Create a new Node and set the Address of the UMS Server.
   
   
   
3. Add Pool. In the pool configuration the monitor and the node server must be at least configured. There is no specific Load Balancing Method recommended.
   

IRULE Configuration to Forward the Client Certificate in HTTP Header 

Irules is the Script support of F5 BIG-IP.

The Client Certificate can be read from the HTTP_REQUEST. The variable [X509::whole [SSL::cert 0]] contains it in PEM format.

The UMS expects the certificate URL Encoded so it must be encoded:  [URI::encode $ssl_cert]

Forwarding Header Example:

when HTTP_REQUEST {
    set DEBUG 1
 
    if { [SSL::cert count] > 0 } then {
        set ssl_cert [X509::whole [SSL::cert 0]]

        set encodedCert [URI::encode $ssl_cert]
        HTTP::header insert "X-SSL-CERT" "$encodedCert"

        if { $DEBUG } {
            log local0. "Client Certificate: $ssl_cert"
            log local0. "Client Certificate Accepted: [X509::subject [SSL::cert 0]]"

            log local0. "Client inserted"
            log local0. [HTTP::header names]
        }       
      
    } else {
        log "No Client SSL Certificate!"
    }
}

SSL Client Profile Configuration

The SSL Client Profile is used to set the SSL configuration for all incoming requests to the Virtual Servers.

1. Add a new SSL Client Profile and Configure according to the picture below.
   
   
   
2. Configure the UMS WEB Certificates and Key.
   
   
   

3. TLSv1.3 is used in the connection from the Device to UMS so the ciphers must be customized.

   Ciphers	f5-default can be used as Cipher Group
   Options List	disable the “No TLSv1.3” entry in the Enabled Options list

   
   
   
   

4. The necessary customizations for Client Certificate Authentication are:
   

   Client Certificate	This value must be set to request
   Trusted Certificate Authorities	Set to UMS-ESTCA-Certificate
   Advertised Certificate Authorities	Can be set to UMS-ESTCA-Certificate

   
   
   

SSL Server Profile Configuration

The SSL Server Profile is used to set the SSL configuration for all requests to the Backend Servers (UMS).

1. Create a new SSL Server Profile.
   
   
2. Set the Chain value to UMS Web Certificate Chain.
   
   
3. Set the TLSv 1.3 configuration the same as for the SSL Client Profile above.
   

Virtual Server Configuration

The Virtual Server defines the Listener in F5 BIG-IP.

1. Set the following values:

   Type	Standard
   Source Address	From which IP are requests allowed. Set it to * if this shouldn’t be evaluated
   Destination Address	The Address under which this Virtual Server is reachable
   Service Port	Select the UMS Port

   
   

   Protocol	TCP
   HTTP Profile	http, required to evaluate the HTTP Header
   SSL Profile (Client)	Add the earlier created Client SSL Profile
   SSL Profile (Server)	Add the earlier created Server SSL Profile
   Source Address Translation	Set it to Auto Map

   
   
   
   
   
   

2. Add the Pool and iRule to the Virtual Server.