F5 Big-IP LTM

Configuration:
HTTPS / WSS
Offloading

Warning
This document contains confidential information that is proprietary to CafX Communications Inc. No part
of its contents may be used, disclosed or conveyed to any party, in any manner whatsoever, without prior
written permission from CafX Communications Inc.

Copyright 4/30/15, CafX Communications Inc. All rights reserved.

April 30, 2015

F5 Configuration HTTPS/WSS Offloading

Table of Contents
1

Document Control

Introduction

VLANs

SNAT

Self IP

Network Routes

Virtual Servers

7.1
Health Monitor
7.2
Virtual Server Pools
7.2.1
HTTP Pool Properties
7.2.2
HTTP Pool Members
7.2.3
Media Pool Properties
7.2.4
Media Pool Members
7.3
Virtual Server Properties
7.3.1
HTTPS Virtual Service
7.3.2
Media Virtual Service
7.4
Virtual Server Resources
7.4.1
HTTP Virtual Server
7.4.2
Media Virtual Server

9
10
11
12
13
14
15
15
17
18
18
18

iRule - Restricting URI Access & Enabling Websockets

20

8.1
Application URIs
8.1.1
Fusion Web Gateway URIs
8.1.2
Fusion Palettes Admin URIs
8.1.3
Fusion Live Assist Server URIs
8.1.4
Fusion Sample Application URIs
8.2
Websocket URIs
8.3
The iRule

20
20
21
22
23
24
24

Contact information

F5 Configuration HTTPS/WSS Offloading

27

Document Control

Version

Author

Issue Date

Description / Change History

10.0

Solutions Engineering

28 May 2014

Updated with reference to Live Assist

1.1.8 and Palettes 2.0.11

11.0

Solutions Engineering

30 April 2014

Updated Live Assist 1.2.9+ and

FCSDK 2.1.21+

F5 Configuration HTTPS/WSS Offloading

Introduction

This guide walks through the configuration needed on F5 Big-IP LTM (Local Traffic Manager) to offload
inbound HTTPS and Secure Websockets (WSS) requests.
The environment this configuration relates to is:

A non-HA Fusion Application Server (FAS) installation

Fusion Client SDK (FCSDK) installed onto the FAS

o

The FCSDK installation consists of a co-hosted Fusion Web Gateway instance and a
Fusion Media Broker

The FCSDK web-based sample application has been deployed onto this same FAS
instance

Fusion Palettes installed onto the FAS

Fusion Live Assist installed onto the FAS

The configuration described will terminate the HTTPS/WSS connection at F5, and will then NAT and load
balance the decrypted connection across a pool of back end application servers.
The configuration also describes the steps required to restrict specific URIs to only allow access to the
required REST services for FCSDK and Fusion Palettes.
Once the secure connection has been decrypted, F5 is able to translate the original source IP address of
a packet to a configured IP address. This feature is known as Secure Network Address Translation
(SNAT). The configuration illustrates how F5 can be configured to perform SNAT automapping i.e.
enabling F5 to automatically choose a translation address which will be an existing Self IP address.
The instructions in this guide are based on a non-HA evaluation version of F5 (v10.2.4 build 577) and
should be used as an example of what configuration is required to achieve HTTPS/WSS offloading. As
such, some configuration may vary depending on the local environment and policies.

F5 Configuration HTTPS/WSS Offloading

VLANs

Assuming F5 has 2 network interfaces (one for the public side and the other for F5s private side), the
following illustration defines 2 VLANs and associates appropriate interfaces with each.
Note that in this environment, both network interfaces were untagged.

F5 Configuration HTTPS/WSS Offloading

SNAT

As SNAT automapping is being implemented, there are no SNATs explicitly defined.

F5 Configuration HTTPS/WSS Offloading

Self IP

Self IP address for F5s private interface as well as public interface should be defined in Network > Self
IPs menu.
It can be created by specifying the address, netmask and finally selecting the appropriate VLAN. See
below:

F5 Configuration HTTPS/WSS Offloading

Network Routes

A network gateway address is required to be created by specifying a particular router that the BIG-IP
system should use when forwarding packets to the destination host or network.

F5 Configuration HTTPS/WSS Offloading

Virtual Servers

A virtual server must be created for each service exposed by F5. In the screenshots below, there is a
service for handling HTTPS traffic and another for RTP traffic.
As both FCSDK and Fusion Palettes are co-hosted on the same server, the configuration only defines
one Virtual Server.

7.1

Health Monitor

By default, the BIG-IP system uses HTTP 0.9 for HTTP monitor requests. When a HTTP 0.9 request is
sent to a HTTP 1.1 server, the server may not respond as expected. Therefore, using the default HTTP
health monitor may fail even though the server is running.
To prevent the monitor from incorrectly marking the server as inaccessible, it is possible to either create a
custom health monitor based on the default HTTP monitor or change the default HTTP monitor and
change only its Send String property to send a HTTP 1.1 request by explicitly specifying the HTTP
version as follows:
GET / HTTP/1.1\r\nHost: \r\nConnection: Close\r\n\r\n
This health monitor should be used when defining the back end server pool associated with the virtual
server. In this example the name of the monitor is: fcsdk_http

F5 Configuration HTTPS/WSS Offloading

7.2

Virtual Server Pools

For each of the two services (HTTP and media), a group of member devices should be defined that will
receive and process traffic.

F5 Configuration HTTPS/WSS Offloading

10

Note that as SSL offloading is taking place, the back end server pool associat ed with the HTTPS Virtual
Service is defined as being insecure.

7.2.1

HTTP Pool Properties

A pool of backend servers is required to enable F5 to load balance the appropriate service. Note the use
of the Health Monitor (fcsdk_http) created earlier.

F5 Configuration HTTPS/WSS Offloading

11

7.2.2

HTTP Pool Members

Although for simplicity this pool has only 1 member, there may be any number of members in a pool.
When defining a member, along with its IP address, the port on which the service resides is also required.

F5 Configuration HTTPS/WSS Offloading

12

7.2.3

Media Pool Properties

The properties of the media pool are shown below.

F5 Configuration HTTPS/WSS Offloading

13

7.2.4

Media Pool Members

There is 1 Media Broker in the media pool as shown below.

F5 Configuration HTTPS/WSS Offloading

14

7.3

Virtual Server Properties

The NAT configuration of both the HTTPS and media Virtual Servers are as follows:

Auto-SNAT is enabled meaning that F5 will automatically choose which address to translate the
source IP into based on the list of Self IPs.
o

7.3.1

Following best practice, the name of the VLAN for which the virtual server is enabled has
been changed from its default to being explicitly defined via the VLANs and Tunnels
property.

HTTPS Virtual Service

The virtual server has been configured with the following:

The HTTP profile that is defined is the default HTTP profile without any changes.
o

In order for F5 to correctly process Websockets, the HTTP profile needs to be disabled
via iRules during the processing of the Websockets request, allowing the TCP
communication to be proxied through the BIG-IP. iRules will be discussed in a later
section within this document.

For the purposes of this exercise, F5 has been configured to use a client -side self signed
certificate, and as such the SSL Profile (Client) property has been set to clientssl.
o

An alternative to this would be to import a CA signed certificate and define that in the
SSL Profile (Client) property field.

Note that the port exposed for the HTTPS service is defined here as being 8443. This should be
configured to a value appropriate to the environment.

F5 Configuration HTTPS/WSS Offloading

15

F5 Configuration HTTPS/WSS Offloading

16

7.3.2

Media Virtual Service

F5 Configuration HTTPS/WSS Offloading

17

7.4

Virtual Server Resources

7.4.1

HTTP Virtual Server

The following shows the default load balancing pool associated with the HTTPS virtual server, which was
defined earlier. Note that this is the insecure pool defined earlier.

7.4.2

Media Virtual Server

The following screenshot shows the configured load balancing pool associated with the media virtual
server, which was defined earlier.

F5 Configuration HTTPS/WSS Offloading

18

F5 Configuration HTTPS/WSS Offloading

19

iRule - Restricting URI

Access & Enabling
Websockets

Access to application URIs can be restricted by defining an F5 iRule associated with the virtual server.
Define an iRule (e.g. named FusionHttpsUriRule) that will restrict access to specific URIs by only
allowing those in pre-defined Data Group Lists.
For simplicity, the URIs in the Data Group Lists must only contain the URIs that web clients are allowed to
access. Websocket URIs must be explicitly defined in the iRule itself.
In order to separate the URIs on a per application basis, the configuration described below defines a Data
Group List for each application together with a list for the URIs associated with some sample applications:

Fusion Web Gateway e.g. FusionGatewayUri s

Fusion Palettes admin URIs e.g. FusionPalettesAdminUri s

Fusion Live Assist server URIs e.g. FusionLiveAssi stServerUri s

URIs of all the sample applications e.g. FusionSampleAppUris

When configuring the URI Data Group Lists, they must be entered as String-Value pairs. The sections
below show the URIs within each of the groups defined above.
Note: The URIs may be different to those used in the enterprises environment, and therefore may
need updating appropriately.
Note: The URIs relating to the Websocket connections MUST NOT be in these lists.
Note: The Javascript URIs are only relevant for browser clients.

8.1

Application URIs

8.1.1

Fusion Web Gateway URIs

String

Value

/gateway/adapter.js

/gateway/adapter.js

/gateway/csdk-aed.js

/gateway/csdk-aed.js

/gateway/csdk-common.js

/gateway/csdk-common.js

/gateway/csdk-phone.js

/gateway/csdk-phone.js

F5 Configuration HTTPS/WSS Offloading

20

/gateway/csdk-presence.js

/gateway/csdk-presence.js

/gateway/csdk-sdk.js

/gateway/csdk-sdk.js

8.1.2

Fusion Palettes Admin URIs

String

Value

/palettes_admin/rickshaw.min.css

/palettes_admin/rickshaw.min.css

/palettes_admin/style.css

/palettes_admin/style.css

/palettes_admin/images/fusion-logo.png

/palettes_admin/images/fusion-logo.png

/palettes_admin/vendor/d3.min.js

/palettes_admin/vendor/d3.min.js

/palettes_admin/rickshaw.min.js

/palettes_admin/rickshaw.min.js

/palettes_admin/admin.js

/palettes_admin/admin.js

/palettes_server/adminapi/alerts

/palettes_server/adminapi/alerts

F5 Configuration HTTPS/WSS Offloading

21

8.1.3

Fusion Live Assist Server URIs

String

Value

/assistserver/

/assistserver/

F5 Configuration HTTPS/WSS Offloading

22

8.1.4

Fusion Sample Application URIs

String

Value

/basic_ivrb_sample_client_js/

/basic_ivrb_sample_client_js/

/dummy_callcenter_adapter/

/dummy_callcenter_adapter/

/dummy_callcenter/

/dummy_callcenter/

/csdk-sample/

/csdk-sample/

/assist-agent-console/

/assist-agent-console/

/assistsample/

/assistsample/

/assist-resourcemanager/

/assist-resourcemanager/

Note: The Palettes adapter component is accessed directly by the client and is ther efore required
to be added to the list of URIs managed by the reverse proxy.

F5 Configuration HTTPS/WSS Offloading

23

8.2

Websocket URIs

Only FCSDK and Live Assist utilise Websockets for call control and screen-share functionality and their
URIs have been listed below:

Application

Websocket URI

FCSDK

/gateway/websocketcall

Live Assist

/assistserver/share

8.3

The iRule

The code below shows the iRule used to restrict access to URIs using the Data Group Lists defined
above, while also showing how to allow Websockets access.
Note: The URIs relating to the Websocket connections for FCSDK and Live Assist MUST be
explicitly defined in the iRule.

F5 Configuration HTTPS/WSS Offloading

24

when CLIENT_ACCEPTED {
HTTP::enable
log local0. "http profile enabled"
}
when HTTP_REQUEST {
log local0. "URI --- [HTTP::uri]"
# Only allow following URLs
if { ([HTTP::uri] starts_with "/gateway/websocketcall") } {
log local0. "http profile - disabled"
HTTP::disable
} elseif { ([HTTP::uri] starts_with "/assistserver/share") } {
log local0. "http profile - disabled"
HTTP::disable
} elseif { ([HTTP::uri] starts_with "/assistserver/topic") } {
log local0. "http profile - disabled"
HTTP::disable
} elseif { ([HTTP::uri] equals "/csdk-sample")
|| ([HTTP::uri] equals "/palettes_admin")
|| ([HTTP::uri] equals "/basic_ivrb_sample_client_js")
|| ([HTTP::uri] equals "/assistsample")
|| ([HTTP::uri] equals "/assist-agent-console") }
{ # Change it to end with '/'
HTTP::redirect "[HTTP::uri]/"
} elseif { ([class match [HTTP::uri] starts_with FusionGatewayUris])
|| ([class match [HTTP::uri] starts_with FusionPalettesAdminUris])
|| ([class match [HTTP::uri] starts_with FusionLiveAssi st1.2ServerUri s])
|| ([class match [HTTP::uri] starts_with FusionSampleAppUris])
|| ([HTTP::uri] equals "/palettes_server/palettes?serviceID=basicivrbsamplerules") } {
# Leave HTTP profile enabled and pass traffic through
log local0. "Passing it through"
} else {

# Drop the request

log local0. "Dropping the request"

drop

} }

F5 Configuration HTTPS/WSS Offloading

25

This iRule will drop any requests to any URI outside of the defined Data Group Lists.
This iRule should be associated with the virtual server as shown earlier. The SSL offloading process will
decrypt requests from clients and apply this iRule, allowing or rejecting access to the back end servers.
NOTE: An open F5 issue: SOL12938, states that calling the 'HTTP::disable' function from within an
iRule may result in a TMM core. However, this issue occurs when ALL of the following conditions are met:
1.

The Cache Setting feature is enabled within the HTTP profile.

2.

OneConnect is enabled within the HTTP profile.

3.

An iRule is configured and calls the HTTP::disable function.

Note that the configuration described within this document does NOT meet the required conditions for this
issue to be relevant in this deployment.
Although 'HTTP::disable' has been invoked in the iRule, the default HTTP profile that has been used
when defining the HTTPS Virtual Server has its OneConnect property enabled, but the RAM Cache
disabled.
F5 has been tested with the OneConnect property both enabled and disabled, without any change in
application behaviour.

F5 Configuration HTTPS/WSS Offloading

26

Contact information

For technical support or other queries, contact CafX Communications Support at:
support@cafex.com
For our worldwide corporate office addresses, please visit:
http://www.cafex.com

F5 Configuration HTTPS/WSS Offloading

27