NimbostratusWe have an F5 which load balances external traffic through our ADFS 2016 proxies, pointing to the default proxy URL, sts.'ourorg'.com. We need to replace the expiring ADFS certificates. Does the certificate upgrade need to happen simultaneously on both the ADFS servers and the F5 or if both have a valid certificate, whether the soon-to-expire or new, will communication still be secure? Thank you.
NimbostratusI found out we use pass-through so there is no need to update certificates on the F5. That makes life easier!
That's invalidate the requirements of your initial question...
But I'm glad you have solved it.
KR,
Dario.
F5 works as a full-proxy infrastructure, having a client-side (connection between external clients and F5) and a server-side (connection between F5 and the backend server, where F5 takes a role of client).
Taking this into account
1) The Client SSL profile certificate must be upgraded, yes or yes (to avoid TLS errors during customer navigation)
2) The Backend Certificate should be upgraded, but it could be unmodified (because you could modify your server SSL profile to not warn possible TLS errors)
I encourage you to read this doc about server SSL profile
https://support.f5.com/csp/article/K14806
Sections:
KR,
Dario.
