Forum Discussion

Sanal_Babu's avatar
Sanal_Babu
Icon for Nimbostratus rankNimbostratus
Feb 16, 2018

SSL offloading in F5 with 2 wild card certificate on same VS

I need to do SSL offloading in LTM for backend WAP servers. Currently SSL is terminated at WAP servers.We have 2 wild card certificate to be attached. Is it possible to add 2 wild card certificate in same VS ? If so what could be the SNI/servername and Server profile.

 

Traffic will be hitting on WAP servers and then to ADFS servers and then to MS cloud for authentication and back to share point servers.

 

Please note there is no APM used.

 

Appreciate your thoughts.

 

2 Replies

  • You would need to create 3 clientssl profiles: 2 for each of your wildcard certificates and a default profile to cover the rest of cases, this is by design.

     

    On the clientssl profiles for the wildcards you need to configure the server name setting which supports wildcards. More here: https://support.f5.com/csp/article/K14783

     

    Then you add the 3 clientssl profiles on your virtual server. If you are doing ssl offlocad then you don't need a serverssl profile, you need to have to pool members configured on port 80/http. You may need to add an HTTP profile to rewrite redirects in case your servers send those using http instead of https ( in the HTTP profile there is the setting redirect rewrite, I use most of the times the all option)

     

  • You need a serverssl profile only when you encrypt traffic to your backend server, if you want plain text traffic to your servers then don’t add it. Your configuration needs to be coherent hence your pool member configuration need to point to the http port in your servers.

     

    The rewrite redirect setting of the http profile helps in ssl offload scenarios where the server sends back redirects but pointing to http. You server doesn’t know about ssl offload, it still thinks the traffic is http and so if a redirect happens it will be http. The option in the http profile fix that by rewriting it to https so the client is redirected to https and not http which may break the flow.