Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

Jared_46987's avatar
Jared_46987
Icon for Altostratus rankAltostratus
Jan 29, 2014

Exchange SSL Certificates in LTM/GTM Deployement?

Hi everyone,   We're in the process of implementing a GTM into our current network infrastructure, and Exchange is the first to take advantage of it across our two sites. However, I've ran into a ...
application delivery
BIG-IP DNS
deployment
gtm
LTM
microsoft
ssl
Jared_46987's avatar
Jared_46987
Icon for Altostratus rankAltostratus
Jan 29, 2014

Alright, just to make sure we have this done right, lets start with OWA.

 

We have our GTM (which sits behind our firewall) configured for DNS, and lets say it has an IP of 192.168.202.2 (a DMZ address).

 

The VIP's for OWA, which is on one LTM in each datacenter, is 192.168.202.3 and 192.168.203.3, and those addresses are in DNS (our infrastructure uses routed IP addresses, just an FYI). So, the DNS entry on the GTM for OWA, should be pointed to the LTM VIP's, correct?

 

On the GTM, we also have a "wide IP" configured for OWA, with an accompanying pool for each datacenter. The pools are configured with the pre-populated entries (added to the pool as members) that appear when LTM's are synced. Is that correct so far?

 

  • Cory_50405's avatar
    Cory_50405
    Icon for Noctilucent rankNoctilucent
    Jan 29, 2014
    The IP address of your GTM shouldn't come into play much in this scenario, as long as your OWA FQDN is authoritative to your GTM. Your GTM pool should include the virtual server IP addresses from each of your two LTMs that load balance to your back end OWA system. So when a query comes in for owa.yourcompany.com, your GTM receives the request and responds with an A record for the OWA virtual server you have configured on either of your LTMs (depending on type of load balancing configured on the GTM). No certificates should be presented by GTM in this scenario. Only the certificates you have applied to your client SSL profile on the LTM.
  • Jared_46987's avatar
    Jared_46987
    Icon for Altostratus rankAltostratus
    Jan 29, 2014
    Alright, thanks Cory. I think part of the issue might be how our firewall rules are written and directing traffic. I just want to make sure the GTM is setup right, and I'm assuming everything else I mentioned was correct? Our eventual goal is to load balance traffic based on Geo-location, and I know I still have some work to do to get that working.