Transport phase is the first phase of a client HTTP request.

Load Balancer virtual server SSL configuration is found under SSL Configuration. There are two possible configurations. In both modes, the load balancer sees the traffic, and applies load balancer rules based on the client HTTP traffic.
  • SSL Offload, configuring only the SSL client. In this mode, the client to VIP traffic is encrypted (HTTPS), and the load balancer decrypts it. The VIP to Pool member traffic is clear (HTTP).
  • SSL End-to-End, configuring both the Client SSL and Server SSL. In this mode, the client to VIP traffic is encrypted (HTTPS), and the load balancer decrypts it and then re-encrypts it. The VIP to Pool member traffic is encrypted (HTTPS).

The Transport Phase is complete when the virtual server receives the client SSL hello message virtual server. this occurs before SSL is ended, and before HTTP traffic.

The Transport Phase allows administrators to select the SSL mode, annd specific server pool based on the client SSL hello message. There are three options for the virtual server SSL mode:
  • SSL Offload
  • End-to-End
  • SSL-Passthrough (the load balancer does not end SSL)

Load Balancer rules support REGEX for match types. PCRE style REGEX patterns are supported with a few limitations on advanced use cases. When REGEX is used in match conditions, named capturing groups are supported. See Regular Expressions in Load Balancer Rules.

Prerequisites

Verify that a Layer 7 HTTP virtual server is available. See Add Layer 7 HTTP Virtual Servers.

Procedure

  1. Open the Layer 7 HTTP virtual server.
  2. In the Load Balancer Rules section, next to Transport Phase, click Set > Add Rule to configure the load balancer rules for the Transport Phase.
  3. SSL SNI is the only match condition supported. Match conditions are used to match application traffic passing through load balancers.
  4. From the drop-down list, select a Match Type: starts with, ends with, equals, contains, matches regex.
  5. Enter a SNI Name.
  6. Toggle the Case Sensitive button to set a case-sensitive flag for HTTP header value comparison.
  7. Toggle the Negate button to enable it.
  8. From the drop-down list, select a Match Strategy:
    Match Strategy Description
    Any Either host or path may match for this rule to be considered a match.
    All

    Both host and path must match for this rule to be considered a match.

  9. From the drop-down menu, select the SSL Mode Selection.
    SSL Mode Description
    SSL Passthrough

    SSL Passthrough passes HTTPS traffic to a backend server without decrypting the traffic on the load balancer. The data is kept encrypted as it travels through the load balancer.

    Note: VIP Client SSL Configuration is not used for traffic matching a load balancer transport rule with action SSL Passthrough. Because the same VIP can have other load balancer transport rules with action SSL Offloading or SSL End-to End, Client SSL Configuration is required in the VIP.

    If SSL Passthrough is selected, a server pool can be selected. See Add a Server Pool for Load Balancing in Manager Mode.

    SSL Offloading

    SSL Offloading decrypts all HTTPS traffic on the load balancer, and connects to the selected backend server using HTTP. SSL Offloading allows data to be inspected as it passes between the load balancer and server. If NTLM and multiplexing are not configured, the load balancer establishes a new connection to the selected backend server for each HTTP request.

    SSL End-to End

    SSL End-to End decrypts all HTTPS traffic on the load balancer, and connects to the selected backend server using HTTPS. If NTLM and multiplexing are not configured, the load balancer establishes a new connection to the selected backend server for each HTTP request.

  10. Click SAVE and APPLY.