I would like to check that my understanding of https offloading & network topology is correct.
I am currently testing https decryption/offloading with the VLM forwarding the unencrypted http traffic onto the application servers.
(aside: our application requires transparency since it was designed before load balancing & part of it tracks client connections by source ip.)
At present I have tested successfully with a 2-armed solution to ensure return traffic flows back through the VLM where it can be re-encrypted.
Can I confirm that https offloading will effectively *require* a 2-armed approach?
Otherwise it looks to me like the application server will send http traffic directly back to the client (who should reject it)
[aside: I also successfully tested using a single armed solution where the application server has an explicit route for the client subnet(s) configured as the VLM. In effect this is just mimicking a 2-armed solution really & I don't really see any practical use for it, but it helped some testing while I was still building new network infra]
If https decryption offloading does *not* require the 2-armed approach, please could I have some guidance as to why/how the traffic still gets back to the VLM for re-encryption?