Certificate requirements for F5 and SharePoint apps
Hi all,
I'm trying to understand setting up an F5 LTM (11.2.1) for SharePoint, including SharePoint apps. I've been looking at the following documents:
F5 - http://www.f5.com/pdf/deployment-guides/sharepoint-2010-iapp-dg.pdf
Microsoft - http://technet.microsoft.com/en-us/library/fp161236(office.15).aspx
I have configured the F5 manually, rather than using the iApp application template. I have no direct access to the SharePoint server, as this is administered by another team. To enable description of the set-up, let's say:
- The SharePoint site is sharepoint.domain.com
- The SharePoint apps site is sharepointapps.domain.com
- The back-end server (we only have one at this stage) is SPserver1.subdomain.domain.com The back-end server is providing both SharePoint and SharePoint apps. Access to the SharePoint site is working, with SSL offloading on the F5 and currently a certificate for sharepoint.domain.com installed on the F5.
If I understand the F5 document correctly, for SharePoint apps I need to configure SSL bridging, and then an iRule (page 18 of F5 doc) which will disable server side SSL (re-encryption) for all connections except SharePoint apps. The default pool is the pool for SharePoint connections (containing SPserver1.subdomain.domain.com:80) and there should be another pool for SharePoint apps connections (containing SPserver1.subdomain.domain.com:443). The iRule directs connections to the port 443 pool if the requested host contains sharepointapps.domain.com.
My confusion regards what certificate(s) should be installed on the F5 and on the back-end server.
The F5 virtual IP listening on port 443 for both SharePoint and SharePoint apps connections needs a certificate that will include sharepoint.domain.com and *.sharepointapps.domain.com (the latter as per page 2 of the Microsoft doc).
Page 28 of the F5 doc says the certificate on the back-end server “must be the same certificate used in the BigIP LTM configuration, and must have all of the host names of the SharePoint pool member servers added to it in the Subject Alternative Name field”. So finally to my question:
Does the certificate need to be a wildcard cert (for *.sharepointapps.domain.com) with the Subject Alternative Name field containing sharepoint.domain.com and SPserver1.subdomain.domain.com?
Any thoughts on the certificate requirement in particular, or more generally on F5 configuration for SharePoint apps, would be much appreciated.
Regards,
Stuart