Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Two load balancers in a row. How to manage certs

I have a top level F5 receiving traffic and sending to pools with two nodes in each pool. One node is the VIP on a next level F5 (a side) and the other node is a VIP on a different F5 (b side).

How do i set up the certs on something like this? -Pass through on the top level f5 and offload certs on the lower level? -Offload cert and use the clientssl cert to speak to the next f5? -Offload and re-encrypt with the same cert on both sides of the first f5?

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi,

Depending what's you want to implement. If you don't use ASM or APM you can set up this configuration:

FRONT REVERSE PROXY: L4 with source address persistence

BACK Reverse proxy (Side A): ssl interception (cookie persistence if you have multiple node)

BACK Reverse proxy (Side B): ssl interception (cookie persistence if you have multiple node)

Important point: if you have Hardware device in FRONT REVERSE PROXY and VE in BACK REVERSE PROXY. It's better to set ssl interception in in hardware device for performance reason.

For information ssl interception means that you have to set client and server ssl profile.

Regards

0
Comments on this Answer
Comment made 4 months ago by youssef 3382

It's always better so set up interception ssl on F5 in order to manage Cipher and SSL/TLS security. An in future if you want to use apm or asm ssl interception is needed...

In all case it's always better to setup ssl interception in hardware device.

0
Comment made 4 months ago by Sokol 59

What would I use for the serverssl? would it be the default ssl profile and then put that on the front of the next f5? Or would I use the same cert as the clientssl profile, basically re-encrypting it as before and then let the second F5 unencrypt with the same cert?

Thanks, btw!

0
Comment made 4 months ago by youssef 3382

Yes in case if you want to set interception ssl in front and back you can follow this procedure:

for sslserver profile you can use default "server ssl insecure" for Front an Back reverse proxy.

Regarding Client SSL profil if you have a dedicated cert/key it's better to set it in front and back.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

What are your security requirements?

Do you need the traffic encrypted after the first level F5's?

Do you need to do any layer 7 processing, like select a pool or pool member based on part the of the HTTP request or insert a cookie for persistence?

0
Comments on this Answer
Comment made 4 months ago by Sokol 59

What are your security requirements? - PCI standards

Do you need the traffic encrypted after the first level F5's? - Yes, this is required.

Do you need to do any layer 7 processing, like select a pool or pool member based on part the of the HTTP request or insert a cookie for persistence? - We will only need redirects and some header changes.

0
Comment made 4 months ago by AMG 1979

If you need to read or manipulate the HTTP request/response in both layers of F5 devices you will need to terminate and decrypt the SSL and re-encrypt before forwarding on.

The certificates you need to use will be down to your security policies/requirements but you have three options:

  1. Buy a certificate from a public CA, you will need to do this with the first layer of F5's if access is from public internet.
  2. Issue certificate from an internal CA, this is the best option for the second layer of F5 devices as will be cheaper and you have more control of the certificates. I would recommend issuing a different certificate for each F5 as will avoid any grey areas in the PCI standard.
  3. You can generate a self-signed certificate on the F5 devices, if you need to meet PCI then this is not really a valid option unless you write something detailed about how the connection is restricted between the two F5 layers only etc. (more of a pain than just getting a cert from somewhere else)

If you only need to process the HTTP in the first layer then I would using Performance L4 Virtual Servers in the second layer and not terminate the SSL at all.

Work out the SSL encryption/decryption flow and setup the F5 to work with basic client and server SSL profiles, so more open security, then work to restrict the security with the Cipersuite configurations and if you are using temporary certificates and keys replace them with new keys and newly issues certificates.

0