For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

DaZZa's avatar
DaZZa
Icon for Nimbostratus rankNimbostratus
Sep 03, 2013

Adding Microsoft internal CA as a trusted signer.

Hello.

 

Apologuies if this is in the wrong place, or inappropriate - but I'm reaching the end of my Google-fu and am not able to find an answer.

 

My company is implementing MS-Lync, and I need to use my BigIP's running LTM as a reverse proxy for the simple web services.

 

Not much to it, and I think I've got the basics working - take SSL/443 from the Internet and redirect it to SSL/4443 on an internal server - but I'm running into an issue.

 

When I use cURL to look into the server, the SSL diagnostics state that the certificate on the internal server is not from a trusted source (not asurprising).

 

What I need to do is be able to export the root certificate from the Microsoft Active Directory CA and import it into the F5 so that the F5 recognises it as a trusted issuer, and passes the transactions.

 

Can anyone point me to a how-to or idiots guide to make this work? I'm relatively new to F5 and BigIP's, so I'm grasping in the dark somewhat.

 

Thanks.

 

deployment
management
microsoft
security

2 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Sep 04, 2013

    The server SSL profile doesn't generally care about, or rather is configured by default to not be concerned with establishing trust with the internal application. You can usually apply the built-in serverssl profile, and as long as there are no unusual SSL requirements on the server, then the server SSL profile will ignore validation and trust issues.

     

    In any case, the BIG-IP can import certificates in either p12 or PEM/base64 format, so it should be relatively easy to export the CA's public certificate, import it to the BIG-IP, and then apply it to the server SSL profile.

     

    Do you have a special requirement to build this server side trust?

     

  • DaZZa's avatar
    DaZZa
    Icon for Nimbostratus rankNimbostratus
    Sep 04, 2013

    Kevin.

     

    Thanks for your reply.

     

    I was made to believe that I had to establish the server side trust by the consultants who have been employed to implement Lync for us - but I've since found out that I don't really need to do so.

     

    The external certs are working fine, and once I worked my way through the F5 Lync template (and, more importantly, the documentation provided by consultants, which was much more muddled!), I now find that the reverse proxy is working for Lync.

     

    I was panicing because cURL was complaining about not being able to establish the veracity of the server certificate - but it seems I was freaking out over nothing.

     

    Thanks again for confirming that I was just being stupid and worrying about nothing.