Forum Discussion
Jared_46987
Altostratus
AltostratusExchange SSL Certificates in LTM/GTM Deployement?
Hi everyone,
We're in the process of implementing a GTM into our current network infrastructure, and Exchange is the first to take advantage of it across our two sites. However, I've ran into a problem that I can't find an answer for. When people are connecting to OWA, or any other Exchange service, and the connection is routing through the GTM to the LTM, they receive a certificate error. Instead of getting the cert that is in the SSL profile and works when going through the LTM only, they are presented with the GTM's self-signed cert instead. How do I go about correcting this issue for Exchange, and I'm assuming, all other applications we'll be using that need 3rd party public certs? Do I need to do something like write a custom iRule that would be used on the GTM, and instruct it to use the proper cert?
Thanks,
J
- Kevin_Stewart
Employee
First for clarity, no traffic should be routing through the GTM. The GTM should be issuing a DNS response that points the client browser directly to the correct LTM VIP. When the client arrives at the LTM VIP, the host name in the browser should match the subject name in the certificate applied to the VIP. Is that how you have it configured?
Jared_46987Alright, just to make sure we have this done right, lets start with OWA.
We have our GTM (which sits behind our firewall) configured for DNS, and lets say it has an IP of 192.168.202.2 (a DMZ address).
The VIP's for OWA, which is on one LTM in each datacenter, is 192.168.202.3 and 192.168.203.3, and those addresses are in DNS (our infrastructure uses routed IP addresses, just an FYI). So, the DNS entry on the GTM for OWA, should be pointed to the LTM VIP's, correct?
On the GTM, we also have a "wide IP" configured for OWA, with an accompanying pool for each datacenter. The pools are configured with the pre-populated entries (added to the pool as members) that appear when LTM's are synced. Is that correct so far?
Cory_50405Noctilucent
The IP address of your GTM shouldn't come into play much in this scenario, as long as your OWA FQDN is authoritative to your GTM. Your GTM pool should include the virtual server IP addresses from each of your two LTMs that load balance to your back end OWA system. So when a query comes in for owa.yourcompany.com, your GTM receives the request and responds with an A record for the OWA virtual server you have configured on either of your LTMs (depending on type of load balancing configured on the GTM). No certificates should be presented by GTM in this scenario. Only the certificates you have applied to your client SSL profile on the LTM.- Jared_46987Alright, thanks Cory. I think part of the issue might be how our firewall rules are written and directing traffic. I just want to make sure the GTM is setup right, and I'm assuming everything else I mentioned was correct? Our eventual goal is to load balance traffic based on Geo-location, and I know I still have some work to do to get that working.
