Lab 5: SSL Offload and Security

In this Lab we will configure client-side SSL processing on the BIG-IP


  • Create a self-signed certificate
  • Create a client SSL profile
  • Modify your HTTP virtual server to use HTTPS
  • Add additional security to your HTTPS web server using the HTTP profile

We will create a self-signed certificate and key for a client SSL profile to attach to our virtual server

Creating a Self-signed certificate and key

  1. Go to System >> Certificate Management >> Traffic Certificate Management >> SSL Certificate List and select Create



    The default key size is 2048. You can save SSL resources on the server-side by lowering this key size


    1. Enter:
      1. Name: my-selfsigned-cert
      2. Issuer: Self
      3. Common Name:
      4. Fill out the rest any way you would like

Creating SSL Client Profile

  1. Go to Local Traffic >> Profiles >> SSL >> Client menu and select Create


    1. Under General Properties

      1. Name: my_clientssl_profile
    2. Under Configuration in the Certificate Key Chain section, select the Custom box and hit Add

      1. In the Add SSL Certificate to Key Chain pop-up select:

        1. Certificate:      my-selfsigned-cert
        2. Key:                 my-selfsigned-cert
      2. Select Add


    3. Hit Finished.

Building our New Secure Virtual Server

  1. Go to Local Traffic >> Virtual Servers and hit the Create button or hit the “+” next to Virtual Servers
    1. Name: secure_vs
    2. Destination Address/Mask:
    3. Port: 443 or HTTPS
    4. SSL Profile (Client): my_clientssl_profile (the profile you just created)
    5. Source Address Translation: Auto Map (remember why we need this?)
    6. Default Pool: www_pool
    7. Default all other settings. (Notice you did not require an HTTP profile)
    8. Finish
  2. Test our secure server. Go to you secure_vs at
    1. If you want to watch member traffic, go to the www_pool and reset the statistics
    2. Browse to your secure virtual server
    3. What port did your pool members see traffic on?

Securing Web Applications with the HTTP profile

  1. Let’s begin by creating a custom HTTP profile

    1. Go to Local Traffic >> Profiles >> Services, select HTTP and create a new profile

    2. Under General Properties

      1. Name: secure-my-website
    3. Under Settings:

      1. Set the Fallback Host: (this will take you an internal site)

      2. Fallback on Error Codes: 404 (fallback site if a 404 error is received)

      3. Response Headers Allowed: Content-Type Set-Cookie Location

      4. Insert XForwarded For: Enabled (because we talked about it earlier)


    4. Attach your new HTTP Profile to your secure (HTTPS) virtual server

  2. Browse to your secure virtual server.

    1. Do web pages appear normal?
    2. Now browse to a bad page
      1. For example,
        1. What is the result?
    3. Go to the Request and Response Headers page. You should see a sanitized server response at the bottom of the web page and the original client IP address
    4. You can compare the headers by accessing your HTTP virtual server at
    5. While you are looking at the headers, check for the X-Forwarded-For header received by the server


    Even though the data is encrypted between your browser and the virtual server, the LTM can still modify the data (i.e. resource cloaking) because the data is unencrypted and decompressed within TMOS

Archive your work in a file called: lab5_security