Forum Discussion

Vijay_Krishnan_'s avatar
Vijay_Krishnan_
Icon for Nimbostratus rankNimbostratus
Feb 18, 2010

Attaching SSL Certificates

We have forwarding VIP 0.0.0.0 to forward all outbound traffic through the LTM on port 443. Depending on the destination I need to attach a SSL certificate so that the traffic to destination is encrypted. So in short, for different destinations I need to add different certificates. Is there an irule I can attach it to the forwarding VIP. or did I need to create a outbound Virtual server for each destination. Please help

5 Replies

  • Hi Vijay,

     

     

    By default, LTM wouldn't modify the destination port or encryption on a fowarding VIP. So if a client made a request which matched the forwarding 443 VIP, wouldn't it already be using encryption? Are you wanting to selectively decrypt the client SSL and then re-encrypt it? If not, can you clarify what you're trying to accomplish?

     

     

    Thanks,

     

    Aaron
  • Yes, Aaron. I wanted to selectively decrypt and encrypt depending upon the destination. The destinations are routed through our forwarding VIP and the traffic to different public destinations exit this VIP. As the forwarding VIP only has provision to attach an iRule, can I selectively decrypt and encrypt outbound traffic using an iRule? Or do I need to create a destination VIP for each and every connection which enables me to configure client and server side SSL. Can this VIP have a public IP as its IP address.?
  • I think you could use a standard (TCP) VIP with a 0.0.0.0/0.0.0.0 or specific host destination. But you'd need an SSL cert/key for each hostname that the client makes a request to, which the client browser accepts as valid. Do you have such a cert? If not, the client would get a mismatched or unchained cert warning from the browser. If you do have such a cert, then with a 0.0.0.0/0.0.0.0 VIP, you could select the client SSL profile based on the destination IP address using an iRule. Or if you do configure a specific VIP for each destination host, you could create a client SSL profile for each cert/key you want to use to decrypt the traffic with.

     

     

    Aaron
  • Hi Aaron,

     

     

    Yes I do have certs for each outbound destinations, but I have configured 0.0.0.0 VIP as a forwarding VIP which does not allow to add SSL profiles as part of its configuration. Will a standard 0.0.0.0 VIP serve the same purpose as a forwarding VIP. If so I can configure SSL certs and then with an irule I can switch certs depending upon the destination. I am quite new to this game of load balancing. Is an outbound VIP is same as an Inbound VIP ? Can we have a public valid destination as the destination address of a outbound VIP ?

     

     

    I really value your feedback and assistance. Thanks for your help and assistance so far.
  • Sorry, I forgot that you'd need to use a standard TCP VIP in order to use a client and/or server SSL profile. It would be simpler to configure a single standard VIP for each destination host that you want to decrypt/re-encrypt the traffic for.

     

     

    There isn't really an explicit concept of inbound and outbound VIPs with LTM. You can define any number of VLANs and pass traffic between the VLANs with VIPs defined on public or private IP address spaces.

     

     

    Aaron