Forum Discussion
8 Replies
- What_Lies_Bene1Cirrostratus
What type of Virtual Server are you using? Will the TLS be terminated on the real servers or do you want to terminate on the F5?
- F5_LB_EngCirrostratus
its normal virtual config
virtual netmail.usa.com_25 '{ snat automap pool netmail.usa.com_25 destination 110.90.3.19:25 ip protocol tcp persist source_addr }'
yes i want to terminate on the F5
- F5_LB_EngCirrostratus
thanks i have edited...
- What_Lies_Bene1Cirrostratus
It seems an iRule is your only option, see here: https://devcentral.f5.com/articles/iruleology-ndashsmtp-start-tls. Note you'll need a suitable ClientSSL profile assigned to the VS and it'll need to be listening on 25 and 465 I think.
- F5_LB_EngCirrostratus
Based on our testing it appears that with the iRule we can successfully establish a secure TLS session between the Internet (MS Office 365 cloud) and the DMZ load balancer. However, the client needs the TLS session to extend all the way to the xchange servers. the LB can be configured to subsequently request/establish a TLS session to the pool members as well. We need to provide a response to the client fairly quickly
- What_Lies_Bene1Cirrostratus
Well, that's much easier. Just use a Performance L4 VS, no ClientSSL profile. Just find out what port the TLS will run on, most likely 465.
- F5_LB_EngCirrostratus
they are using port 25 for smtp....
could you please give some more details, we need to use Fast L4 and how to enable the TLS..if we use Fast L4 we need to remove the Irule right? then how TLS will work
- What_Lies_Bene1Cirrostratus
The exchange servers (as per the requirement) will handle the TLS, you'll just be load balancing at layer four to those servers.
So, just remove the iRule and the ClientSSL profile, apply the default FastL4 profile and off you go. If you want to tweak the FastL4 profile, feel free but the default should be fine.
Hopefully I'm being clear but if not, post back.