This article addresses how to resolve issues seen when the ProxySG is deployed as part of an F5 SSL Orchestration (SSLO) stack. When an F5 appliance, running version 14.1.2, has SSLO enabled and is providing decrypted traffic to one or more ProxySG appliances for policy inspection further configurations will be necessary for proper handling.
These issues have been found to require additional steps taken for pipelining and caching changes on ProxySG to allow this behavior to function as expected.
The ProxySG will only receive packets from the F5 that appear to be HTTP requests from an internal client. As such, any initial request sent upstream by the ProxySG will be HTTP. If the ProxySG is the sole originator, such as the case with pipelining, the F5 is unable to re-encrypt the request. To work around this, pipelining can be disabled, and a few other caching settings changed.
Furthermore, if the ProxySG receives a 3xx redirect, such as the expected 301 Permanent Redirects used to upgrade from HTTP to SSL/TLS, the ProxySG may cache the response. If a 3xx redirect is cached, any future HTTP requests provided to the ProxySG from the F5 on behalf of a client will automatically result in a 301 sent by the ProxySG, potentially triggering a redirect loop. To work around this, caching for 3xx Status codes can be disabled.
From the ProxySG CLI, issue the following commands:
For more information regarding the CLI commands, please refer to the ProxySG Command Line Interface Reference.
The following CPL can be used in a local or central CPL file, or as part of a CPL layer in VPM.