Forum Discussion

Prasad4u's avatar
Prasad4u
Icon for Nimbostratus rankNimbostratus
Mar 14, 2024

In F5 LTM

 

In F5 LTM how to configure VIP using SSL-Offloading as *.abc.com certificate where as end node is having *.noam.abc.net certificate

  • put the *.abc.com's private key and public certificate in virtual server's client (side) profile.

    you can use the default server (side) profile.

    you can use f5 local traffic policy to change http host header to the ...abc.net,
    but it is better if the webserver is configured to accept abc.com
    usually it is not difficult to add accepted hostnames in webserver config.

  • Hi Prasad4U,

     

    Its SSL offloading, that mean , from F5 to backend /real server communication , it must be in plain text , no encryption or decryption after that, hence no need to apply any type of default server (side) profile. NO Server Side SSL profile for SSL offloading.

    if you apply a client side as well as server side SSL profile it will be 

    A SSL/TLS Wildcard certificate is a single certificate with a wildcard character (*) in the domain name field. This allows the certificate to secure multiple sub domain names (hosts) pertaining to the same base domain.

    There are three supported methods for using a single virtual server to handle multiple host names:

    Note: You cannot specify the second-level domain as a wildcard. Doing so creates a security risk, and any certificate requested is not be honored by a Certificate Authority (CA). Only the host name portion of the domain can be a wildcard.

    For example, the following domain name is not valid:

    *.*.net

     

    Assuming all your sub-domains are first-level, you're good to go with the wildcard certificate. Just don't include any sub-domains (SANs) with your purchase requests, you really don't have to, and it might be the reason you received misleading information from them. Any first-level sub-domains will automatically be covered by the wildcard certificate.

     

    With a wildcard certificate, your second-level sub-domains will not be covered (e.g. "https://mysecond.myfirst.maindomain.com"); neither will "https://maindomain.com" be covered.

     

    I recommend reading the information here to learn more about wildcards & sub-domains: https://www.digicert.com/ssl-support/wildcard-san-names.htm

     

    Once you are ready with wildcard cert and key,

     

    You can use the following method to create a CLIENT SIDE SSL profile to be added in Virtual server later, for performing SSL offloading:

     

    https://my.f5.com/manage/s/article/K14783

     

    BIG-IP is built to handle SSL traffic in load balancing scenario and meet most of the security requirements effectively. The 3 common SSL configurations that can be set up on LTM device are:

    • SSL Offloading
    • SSL Passthrough
    • Full SSL Proxy / SSL Re-Encryption / SSL Bridging / SSL Terminations

     

    HTH
    ✌️