Forum Discussion

brian-memeo_235's avatar
brian-memeo_235
Icon for Nimbostratus rankNimbostratus
Nov 03, 2016

F5 will not do Load balancing "only" for SSL connections!

Windows IIS7 server, has UCC SAN Certificate, and has the proper bindings modified via cscript for "hostname." The local host name does not match the UCC SAN certificate, forcing me to use "cscript."

 

If you go directly to the server , the SSL certificate works perfectly (green lock on Chrome!) If I change DNS to point to the F5, the results are either "no connection" or invalid certificate.

 

I want the F5 to ONLY load balance, not off-load the SSL.

 

If I simply use "none" for both client and server SSL profiles, https never connects to the node. If I add client-only SSL, I connect, but my certificate fails to be approved.

 

application delivery
BIG-IP
security
ssl
windows iis

3 Replies

Sort By
  • Andrew_Husking's avatar
    Andrew_Husking
    Icon for Cirrus rankCirrus
    Nov 03, 2016

    2 things i can think of that would cause this.

     

    Firstly are the health checks returning that the backend is ok?

     

    Secondly, do the backend servers have a route to the clients that goes through the F5 or do they go direct? If they go direct you need to enable SNAT (automap should work fine) in order for the traffic to flow correctly.

     

    Regards,

     

  • brian-memeo_235's avatar
    brian-memeo_235
    Icon for Nimbostratus rankNimbostratus
    Nov 03, 2016

    Oh, hell. I know why that will never work. Load balancing won't have any idea as to which host the next reply packet belongs to, unless it authenticates the session and sets up the connection.

     

    However, does anyone have a working F5 up front, with Windows IIS behind it? Please fill me in as to how you have it configured to support SSL certificates. (Other than reinstall with Unix and walk away.)