Forum Discussion

GUIZ49_261118's avatar
GUIZ49_261118
Icon for Nimbostratus rankNimbostratus
May 04, 2016

iApp for Lync reverse proxy- Public certificate issue

Hello we are configuring the LTM as reverse proxy for lync 2010 using iApp. we Do have a public Certificate with SAN Name needed.

 

I did provide the public certificate with the private key in the last part of the Iapp template, However I am not sure if I need to import my internal CA root certificate so I can ensure that from My LTM to Lync is using MTLS

 

does LTM care about lync FE certificate?

 

For reference F5-Lync Doc Do you want to create a new client SSL profile for Front End services, or use an existing one? Select whether you want the iApp template to create a new client SSL profile for the Front End servers, or if you have already created one on this BIG-IP system for reverse proxy traffic. If you select an existing profile, it must have the appropriate SSL certificate and Key. i Important If you selected to forward reverse proxy traffic to the Director servers, and plan to use a different Client SSL profile for the Director server traffic, both the Front End and Director Client SSL profiles must be correctly configured for SNI (see the guidance in manual configuration table on page 38) and your clients must support SNI. Otherwise, we recommend using the same SSL profile for both the Front End and Director servers. • Select an existing Client SSL profile If you created a Client SSL profile for this reverse proxy implementation, select it from the list. • Create a new Client SSL profile Select this option for the iApp to create a new Client SSL profile using the SSL certificate and key you imported. a. Which SSL certificate do you want to use? Select the SSL certificate you imported for this implementation. b. Which SSL private key do you want to use? Select the associated SSL private key. c. Which intermediate certificate do you want to use? Advanced If your deployment requires an intermediate or chain certificate, select the appropriate certificate from the list. Immediate certificates are intended to create a chain of trust between the CA that signed the certificate and the CA that is already trusted by the recipient of the certificate. This allows the recipient to verify the validity of the certificates presented, even when the signing CA is unknown.

 

1 Reply

  • mikeshimkus_111's avatar
    mikeshimkus_111
    Historic F5 Account

    Hi GUIZ49, if your SAN cert is trusted by clients then you shouldn't need to import the CA cert. If you need to import it, then you have to create an SSL profile using that chain and attach it using the iApp, rather than creating a new profile. LTM does need to have the certificate to authenticate FE server connections.