Forum Discussion
NimbostratusF5 Load balancing for SharePoint 2013 with end to end encryption
Hi there,
I'm a SharePoint person not an F5/network person so apologies in advance if I don't use the correct terminology :-)
I need help understanding what is needed to configure F5 with SharePoint 2013 using SSL Bridging.
My interpretation of SSL bridging is the same as this person’s post back in 2012: f5-ssl-to-backend-server-issue
Client => SSL => F5 => SSL => Backend SharePoint server
The secure site on the SharePoint server has the following IIS Binding: * Port: 443 * host header: sharepointsite.mycompany.com * Server Name Indication: enabled * cert with common name = sharepointsite.mycompany.com and issued by local on premise certificate authority
There is only one AAM setting defined in SharePoint and it is: https://sharepointsite.mycompany.com Default https://sharepointsite.mycompany.com
The F5 has a wild card cert for *.mycompany.com issued by a well known CA.
Questions
-
To configure SSL bridging on the F5 do we need to configure a Client Profile and a Server Profile?
-
Which certs are needed on the F5? For example, should the Client Profile be configured to use the wildcard cert and the Server Profile configured to use the host specific cert?
-
What should the AAM settings be?
Many Thanks,
Emer
6 Replies
JGCumulonimbus
-
Yes. There are two separate SSL connections, one from the Exchange user to F5, and the other from F5 to the backend server. Hence the two profiles.
-
Either of the specific or the wildcard certificate will work for the client profile. You can use the default serverssl as the server profile.
F5 needs to prove to the user that it is the right server with a valid certificate, and the Exchange backend server in turn needs to prove to F5 that it is the right server with its certificate as well. That's how it works.
-
Emer_144299Thanks so much. On page 28 of your deployment guide for SharePoint ( link text) it states:
"On each IIS server that is a member of the SharePoint pool, open IIS Manager and then highlight the web site that corresponds to your web application. From the task pane, click Bindings. Add a binding for port 443 listening on all IP addresses and select a certificate to use for HTTPS access to the SharePoint web application. This must be the same certificate used in the BIG-IP LTM configuration, and must have all of the host names of the SharePoint Pool member servers added to it in the Subject Alternative Name field."
Since we have a wildcard cert on the client-F5 end and a specific on the backend, do we still need the host names of the SP servers added to the backend cert in the Subject Alternative name field?
Thanks again, Emer
- JG
All it matters is that there must be a valid certificate for all the Exchange services at F5 and the IIS servers. For easier maintenance, you can just follow the DG and use the same certificate at both F5 and the IIS. Yes, you need to add all the service names in the Subject Alternative name field in your csr, if you do not use the wildcard certificate.
And I am not an F5 staff, just another user. :-)
- Emer_144299
Thanks Jie. Does F5 still need the Subject Alternative name field populated in the cert if Server Name Indication is used on the Web server?
- JG
Yes, you use the same certificate at the F5 and the IIS (and the same private key that is used to generate the CSR).
IheartF5_45022Nacreous
FYI the cert on the F5 needs to be valid as browsers perform certificate validation, but the cert on the server does not if you are using the default serverssl profile.
