For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

nov1ce_120072's avatar
nov1ce_120072
Icon for Nimbostratus rankNimbostratus
Feb 05, 2013

https load balancing with active/standby pair setup

Hello,

 

Sorry for the dumb question.

 

I have a pair of BIG-IP appliances and want to configure https load balancing.

 

BIG-IP-1: 10.10.10.2

 

BIG-IP-2: 10.10.10.3

 

Cluster BIG-IP: 10.10.10.1

 

Destination https web server: 10.10.10.5

 

Question 1: in terms of DNS is it correct that DNS name of the web server (say secure.website.com) should point to 10.10.10.1?

 

Question 2: when I deploy a SSL certificate on BIG-IP appliances, should it be bound to 10.10.10.1 (secure.website.com) as well?

 

Thank you.

 

config
design

7 Replies

  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Feb 05, 2013
    Hey. It's not a stupid question. Assuming the Virtual Server is listening on 10.10.10.5;

     

     

    The DNS should point to whatever IP you are using for the Virtual Server. The SSL certificate is applied via a profile to the Virtual Server (it's not directly tied to an IP address).

     

     

    You would not use the Self/Cluster IP for DNS. The Self/Cluster IP would be what you route the VS range/network to from surrounding devices (if necessary) and is simply the device's L3 'leg' in that subnet. Note that the VS range you use doesn't have to actually exist and the F5 doesn't need to have a L3 interface in that subnet, as long as you route the network to the F5 it'll handle it.
  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Feb 05, 2013

     

    Q1. No. The site name MUST resolve to the IP of the Virtual Server.

     

    Q2. The CN (Common Name) of the cert MUST be the FQDN of the DNS entry that resolves to the Virtual Server IP. (I'm ignoring things like alternate names & wildcards deliberately here to make it easier).

     

     

    So you need to create a virtual server (VS) that has a separate IP from any of the others and place your actual web servers into a pool that is used by the virtual server.

     

     

    H
  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Feb 05, 2013
    Note that although I'm usually a fan of this, doing it this way means it's harder in v11 to run active/active with multiple traffic-groups, unless you dedicate a whole subnet to each TG and set the routing on your upstream routers appropriately.

     

     

    H
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Feb 05, 2013

    Good point, I'll keep that in mind. Just to help my own understanding I've now added to the diagram accordingly. Thanks.