Hi, I am new member in this group. i have a question about https monitor in LTM. How does F5 monitor to pool member when pool member listening port is also secure(Which Cert is it using while monitor the pool member).

Is the server corresponding to your pool member requiring certificate based authentication for incoming connections? If so, you can specify a certificate and key in the HTTPS monitor to use to authenticate the LTM. If not, then the LTM won't be presenting a certificate; only the server will.

If its a basic HTTPS monitor which tests TCP 443 reachability, certs doesn't matter. Certificate handshake will come into picture if you are using an advanced monitor where you access traffic thru TCP 443.

unless your server ask for certificate based authentication , you no need to worry about https monitor. If it required , you need to configure cert and key in monitor

Which Cert I need to configure (Self cert in client tab in f5) ?????

it can be anyone which is approved by your CA.

HTTPS Monitor | DevCentral

8 Replies

Cory_50405
Noctilucent
Aug 06, 2014
Is the server corresponding to your pool member requiring certificate based authentication for incoming connections? If so, you can specify a certificate and key in the HTTPS monitor to use to authenticate the LTM. If not, then the LTM won't be presenting a certificate; only the server will.
Sudheer_Nair_88
Cirrus
Aug 06, 2014
If its a basic HTTPS monitor which tests TCP 443 reachability, certs doesn't matter. Certificate handshake will come into picture if you are using an advanced monitor where you access traffic thru TCP 443.
nag_54823
Cirrostratus
Aug 06, 2014
unless your server ask for certificate based authentication , you no need to worry about https monitor. If it required , you need to configure cert and key in monitor
keshav_163381
Nimbostratus
Aug 06, 2014
Which Cert I need to configure (Self cert in client tab in f5) ?????
nag_54823
Cirrostratus
Aug 06, 2014
it can be anyone which is approved by your CA.
nitass
Employee
Aug 06, 2014
Which Cert I need to configure (Self cert in client tab in f5) ?????

it is client certificate which server requests during ssl handshake.

this is article about client certificate authentication (Client Authentication and How Does Client Authentication Work sections).

SSL Profiles Part 8: Client Authentication by John Wagnon

https://devcentral.f5.com/articles/ssl-profiles-part-8-client-authentication
keshav_163381
Nimbostratus
Aug 07, 2014
Thanks to Everyone sharing thoughts and good explanation. @Nitass...i have another question By default client cert option is select ignore in BIGIP. Like same We can need to do in server side (Because BIGIP is client for server when it is making a secure connection with bigip in offload time). am i right ??????? If Server is asking for client auth while making a connection from BIGIP to server side when Cert bigip will present to server.....Is it self sign cert ????????What happened if BIGIP and Server have same cert (How communication will happen between them)
nitass
Employee
Aug 09, 2014
By default client cert option is select ignore in BIGIP. Like same We can need to do in server side (Because BIGIP is client for server when it is making a secure connection with bigip in offload time). am i right ?

yes

If Server is asking for client auth while making a connection from BIGIP to server side when Cert bigip will present to server.....Is it self sign cert ?

server is the one who verifies certificate bigip (serverssl) provides. if server accepts self-signed certificate, yes you can use self-signed certificate in serverssl profile.