I have a top level F5 receiving traffic and sending to pools with two nodes in each pool. One node is the VIP on a next level F5 (a side) and the other node is a VIP on a different F5 (b side).
How do i set up the certs on something like this?
-Pass through on the top level f5 and offload certs on the lower level?
-Offload cert and use the clientssl cert to speak to the next f5?
-Offload and re-encrypt with the same cert on both sides of the first f5?
Depending what's you want to implement.
If you don't use ASM or APM you can set up this configuration:
FRONT REVERSE PROXY: L4 with source address persistence
BACK Reverse proxy (Side A): ssl interception (cookie persistence if you have multiple node)
BACK Reverse proxy (Side B): ssl interception (cookie persistence if you have multiple node)
Important point: if you have Hardware device in FRONT REVERSE PROXY and VE in BACK REVERSE PROXY.
It's better to set ssl interception in in hardware device for performance reason.
For information ssl interception means that you have to set client and server ssl profile.
It's always better so set up interception ssl on F5 in order to manage Cipher and SSL/TLS security. An in future if you want to use apm or asm ssl interception is needed...
In all case it's always better to setup ssl interception in hardware device.
What would I use for the serverssl? would it be the default ssl profile and then put that on the front of the next f5? Or would I use the same cert as the clientssl profile, basically re-encrypting it as before and then let the second F5 unencrypt with the same cert?
Yes in case if you want to set interception ssl in front and back you can follow this procedure:
for sslserver profile you can use default "server ssl insecure" for Front an Back reverse proxy.
Regarding Client SSL profil if you have a dedicated cert/key it's better to set it in front and back.
What are your security requirements?
Do you need the traffic encrypted after the first level F5's?
Do you need to do any layer 7 processing, like select a pool or pool member based on part the of the HTTP request or insert a cookie for persistence?
What are your security requirements? - PCI standards
Do you need the traffic encrypted after the first level F5's? - Yes, this is required.
Do you need to do any layer 7 processing, like select a pool or pool member based on part the of the HTTP request or insert a cookie for persistence? - We will only need redirects and some header changes.
If you need to read or manipulate the HTTP request/response in both layers of F5 devices you will need to terminate and decrypt the SSL and re-encrypt before forwarding on.
The certificates you need to use will be down to your security policies/requirements but you have three options:
If you only need to process the HTTP in the first layer then I would using Performance L4 Virtual Servers in the second layer and not terminate the SSL at all.
Work out the SSL encryption/decryption flow and setup the F5 to work with basic client and server SSL profiles, so more open security, then work to restrict the security with the Cipersuite configurations and if you are using temporary certificates and keys replace them with new keys and newly issues certificates.