Forum Discussion

Brandon's avatar
Brandon
Icon for Cirrostratus rankCirrostratus
Mar 20, 2014

explanation on SSL virtual Server

I have started to play around with a 3600 series LTM.

 

So I got cert and a key from my server admin.. I was a PKCS 12 IIS File. named "my_client"

 

So I created a client ssl profile and use added attached the "my_client" to the certificate and key let everything be default.

 

I tried to https:// to the virtual server it timeout

 

So i created a new ssl profile "my_server" using the same PKCS 12 IIS.

 

On the virtual server removed the client ssl profile selection from the virtual server and selected the Server SSL Profile and updated that..

 

Same result.

 

So for giggles I added the same profile to the client and server and it worked. ?? shld that work? i would think it would need to be different PKCS files for it to work properly?

 

IN the client and server ssl profiles i didn't check proxy SSL. Is that ok? not sure what that does. have been looking at this article below. http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-implementations-11-1-0/15.html

 

Any help anyone can give would be great.

 

Thanks

 

application delivery
deployment
LTM
performance

2 Replies

Sort By
  • Cory_50405's avatar
    Cory_50405
    Icon for Noctilucent rankNoctilucent
    Mar 20, 2014

    The client SSL profile should contain the backend server certificate and key, so as to have the LTM behave as if it is the server (unknown to the client). In most cases, the default SSL server profile can be used.

     

    When you had only the SSL client profile applied, you were essentially offloading the SSL at the LTM. Communications between the client and LTM were SSL encrypted, but the LTM was sending traffic to the backend server without SSL.

     

    When you had only the SSL server profile applied, the LTM was not accepting SSL connections from the client, but would talk SSL to the backend server.

     

    By applying both the client and SSL server profiles, you essentially created SSL from end to end. The exception being your LTM terminated the SSL, proxied the session, and then re-encrypted it to the backend server.

     

    Proxy SSL is a configuration used to preserve any type of client certificate presentation for authentication to the backend server. If you don't need any client certificate based authentication, then you won't need to use this feature.

     

  • Cory_50405's avatar
    Cory_50405
    Icon for Noctilucent rankNoctilucent
    Mar 21, 2014

    Yes. It needs to be enabled on both the client and server SSL profiles in order to work.