BIG-IP F5 Client SSL Profile to Accept TLS 1.0 and forward as TLS 1.2

The F5 can be configured to allow a TLS 1.0 connection and forward it as TLS 1.2 to servers behind the VIP. This is really useful if you have an application running on an older system like Windows 2003 that needs to connect to a hardened server where TLS 1.0 has been disabled. So basically the connection will be made with TLS 1.0 to the F5 VIP and the F5 will connect with TLS 1.2 to the servers behind the VIP.

When configuring a Virtual Server IP (VIP) in the F5 load balancer, there are two options that control the type of certificate a client sees when they connect to the VIP and how the F5 connects to the servers behind the VIP.

SSL Profile (Client):
Specifies the type of certificate that is presented to the client. You can also specify what ciphers
SSL Profile (Server): F5 connection to the servers behind the VIP

BIG IP F5 > Local Traffic > Virtual Servers > mysite.mylab.local, Configuration section

The SSL profile can be configured to only allow TLS 1.0 connection to the VIP

allow only TLS 1.0


This entry was posted in Networking. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *