For anyone else using a BigIP LTM, I was hoping to get a survey of the
load-balancing configuration profiles you have found to be optimal when
used with NAM, specifically for your reverse proxy sites that involve

There are 4 primary choices that we've been exploring:

1) Traditional -- Wildcard certificate loaded on the F5 VIP as well as
on NAM. Client SSL is terminated at the F5; the F5 on the backend talks
SSL to NAM. Slightly more complicated SSL initial setup and ongoing
maintenance when certs expire, and a complete picture while debugging
may necessitate packet traces to be taken at the client (for client to
F5 conversation) as well as at NAM Access Gateways (for F5 to MAG
conversation). While Client IP is NAT'd by the time it reaches the MAG,
the F5 is able to inject an X-Forwarded-For header of the client with
each request since it is sitting in the middle of the SSL

2) Fast L4 -- Allows SSL to terminate at NAM. Slightly less complex as
there is no need to load certificates on F5 as well. MAG will experience
loss of client IP address detail (due to NAT by F5) for troubleshooting
as well as within audit events sent to a SIEM by NAM.

3) Proxy SSL -- F5 is given a copy of the private key of certs, but SSL
terminates at NAM (client handshakes with MAG). The private key allows
the F5 to still inject the X-Forwarded-For header. Downside is some
cipher suites are not supported so whenever one of those are handshake
between NAM and clients, the F5 will drop the conversation. Like #1, you
also have the added overhead of maintaining each cert in two places.

4) Proxy SSL with Pass-through. Same as #3 only the conversation is not
dropped when an unrecognized cipher suite is handshaked. Downside is
NAM, unless you tighten up its allowed cipher suites to match the F5,
will randomly not be able to know the client IP talking to it for
troubleshooting or auditing event purposes.

Right now, we are most seriously weighing options #1 and #4. Are there
any better configuration choices available that we have not considered?
Which way do you most commonly see NAM implemented?

Thank you,


Elfstone2's Profile:
View this thread: