Forum Discussion

Alex_McShane_23's avatar
Alex_McShane_23
Icon for Nimbostratus rankNimbostratus
Nov 09, 2017

Authentication & Encryption between BIG-IP VS and application server

Hi -

 

I would be grateful for clarity with regard to the following.

 

I have a requirement to not only enable Authentication and Encryption between the User/Client and BIG-IP, but additionally, between the BIG-IP VS and the backend application servers.

 

With regard to Authentication / Encryption between BIG-IP and the application servers, my initial thoughts were that this simply entailed additionally defining a Server SSL Profile and populating the following options within the section "Server Authentication":-

 

- Server Certificate: require

 

- Authenticate Name: specify

 

- Trusted Certificate Authorities: specify

 

However, having read many articles, it is not clear to me as to whether this ONLY facilitates Authentication of the server or additionally encryption between BIG-IP and the application server?

 

For example, to enable encryption between the BIG-IP VS and the application server, do I additionally need to specify the section "SSL Forward Proxy" within the CLIENT SSL Profile?

 

Much appreciated

 

Alex

 

1 Reply

  • Hello Alex,

     

    You only need to add an SSL Client Profile and an SSL Server Profile. With the Client Profile the VS will be ready to handle encrypted tunnel between the Client and the VS. In the same manner, by adding an Server Profile, the F5 will starts a secure handshake to establish an encrypted tunnel btw the F5 and the Application Server.

     

    By inheriting from the client-ssl / server-ssl parent profile, the config. is ready to use no need to add anything except the trusted key, cert and chain files to the system.

     

    Hope it is clear.

     

    Regards