Certificate requirements for F5 and SharePoint apps

Question

Hi all,&nbsp;
I'm trying to understand setting up an F5 LTM (11.2.1) for SharePoint, including SharePoint apps. I've been looking at the following documents:&nbsp;
F5 - http://www.f5.com/pdf/deployment-guides/sharepoint-2010-iapp-dg.pdf&nbsp;
Microsoft - http://technet.microsoft.com/en-us/library/fp161236(office.15).aspx&nbsp;
I have configured the F5 manually, rather than using the iApp application template. I have no direct access to the SharePoint server, as this is administered by another team.
 
To enable description of the set-up, let's say:&nbsp;
The SharePoint site is sharepoint.domain.com
 The SharePoint apps site is sharepointapps.domain.com
 The back-end server (we only have one at this stage) is SPserver1.subdomain.domain.com
 
The back-end server is providing both SharePoint and SharePoint apps.
 
Access to the SharePoint site is working, with SSL offloading on the F5 and currently a certificate for sharepoint.domain.com installed on the F5.
If I understand the F5 document correctly, for SharePoint apps I need to configure SSL bridging, and then an iRule (page 18 of F5 doc) which will disable server side SSL (re-encryption) for all connections except SharePoint apps. The default pool is the pool for SharePoint connections (containing SPserver1.subdomain.domain.com:80) and there should be another pool for SharePoint apps connections (containing SPserver1.subdomain.domain.com:443). The iRule directs connections to the port 443 pool if the requested host contains sharepointapps.domain.com.&nbsp;
My confusion regards what certificate(s) should be installed on the F5 and on the back-end server.&nbsp;
The F5 virtual IP listening on port 443 for both SharePoint and SharePoint apps connections needs a certificate that will include sharepoint.domain.com and *.sharepointapps.domain.com (the latter as per page 2 of the Microsoft doc).&nbsp;
Page 28 of the F5 doc says the certificate on the back-end server “must be the same certificate used in the BigIP LTM configuration, and must have all of the host names of the SharePoint pool member servers added to it in the Subject Alternative Name field”.
 
So finally to my question:&nbsp;
Does the certificate need to be a wildcard cert (for *.sharepointapps.domain.com) with the Subject Alternative Name field containing sharepoint.domain.com and SPserver1.subdomain.domain.com?&nbsp;
Any thoughts on the certificate requirement in particular, or more generally on F5 configuration for SharePoint apps, would be much appreciated.&nbsp;
Regards,&nbsp;
Stuart&nbsp;

kevin_stewart · Answer

Generally the certificate used on the backend servers shouldn't matter. You do, however, need a certificate on the F5 for each host name that a user will attempt to access. For multiple hosts your options are wildcard, SAN (subject alt name), and SNI (server name indicator). If you can get away with wildcard cert, that is probably the easiest solution, with SAN coming in a close second.

sharepoint_ben_ · Answer

I have the same question. Does the cert used for SharePoint 2013 app model require wild card AND SAN field for the root URL of the domain. I have SharePoint configured with wild card cert only, but when I navigate to an app page the image and styles beet urls are broken. sharePoint ULS logs state that there is not a root site for the URL. Is this because the cert is not valid for the root site collection of the web app?

Forum Discussion

Certificate requirements for F5 and SharePoint apps

2 Replies

Recent Discussions

BIG-IP DNS: Check Status Of Multiple Monitors Against Pool Member

Open Redirection Mitigation

F5Access | MacOS Sonoma

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

Related Content

Automating ACMEv2 Certificate Management on BIG-IP

Re: Management Certificate

Reminder: MFA now required to log in to DevCentral

CNAME redirection to GTM certificate SAN requirement

Automate Let's Encrypt Certificates on BIG-IP