For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Lavanya_53665's avatar
Lavanya_53665
Icon for Nimbostratus rankNimbostratus
Jan 31, 2014

LDAP and LDAPS load balancing question

Hello

 

We would like to load balance Active directory ldap and ldaps traffic via F5. I am looking through the F5 guide, can we assign SSL profile only to ldaps traffic or are able to assign different SSL profiles for ldap and ldaps?

 

Ldap - Plain text to clients, encrypt to LDAP servers

 

Ldaps End to end SSL, no decryption or bridging

 

Can we make LDAP and LDAPS will be accessible via a single VIP, but monitor different ports for each and set different SSL settings?

 

deployment
devops
iApps
microsoft
security

8 Replies

  • Cory_50405's avatar
    Cory_50405
    Icon for Noctilucent rankNoctilucent
    Jan 31, 2014

    You can setup two virtual servers with the same VIP, one listening on 389 and the other on 636. You'd only apply a server-side SSL profile to your 389 virtual server to encrypt the communications between the F5 and your LDAP server. No SSL profiles would need applied to your 636 virtual server as it would maintain end-to-end encryption. Same pool could be used for both virtual servers.

     

    • Dave_C_15073's avatar
      Dave_C_15073
      Icon for Nimbostratus rankNimbostratus
      Feb 05, 2016
      Can the F5 expose LDAPS (port 636) with an external certificate, terminate the secure connection and then establish an internal LDAPS connection using an internal certificate from the internal LDAP server?
  • Lavanya_53665's avatar
    Lavanya_53665
    Icon for Nimbostratus rankNimbostratus
    Jan 31, 2014

    Thanks. Can we use internal certificate then - Microsoft CA certificate? I am assuming yes.

     

    • Cory_50405's avatar
      Cory_50405
      Icon for Noctilucent rankNoctilucent
      Feb 01, 2014
      Yes, you can use the internal CA signed certificate for your 389 SSL server profile since it won't be presented to the connecting client.
  • Greg_Crosby_319's avatar
    Greg_Crosby_319
    Historic F5 Account
    Jan 31, 2014

    Sounds to me like what you want to do is create 2 vips using the same ip address. One will be for ldap (ip:389), and one will be for ldaps (ip:636). Doing this will allow you to set the appropriate ssl profiles and assign the correct pool for each connection type.

     

  • Ethen_133456's avatar
    Ethen_133456
    Icon for Nimbostratus rankNimbostratus
    Oct 29, 2015

    Do we need any redirection, iRule etc ? Also can I use the existing serverssl profile which I guess is the default ? Do I also need a certifictae for 636 ?

     

    It would be helpful if someone can share the exact Process.

     

    Thanks in Advance

     

  • Lucian_Santos_2's avatar
    Lucian_Santos_2
    Icon for Nimbostratus rankNimbostratus
    Jul 06, 2016

    LDAP e carga LDAPS balanceamento

     

    Em LDAPS (636), deve ter um servidor de perfil SSL?

     

    Este certificado pode ser o F5 padrão? Ou você pode usar uma CA assinado servidor?

     

  • Lucian_Santos_2's avatar
    Lucian_Santos_2
    Icon for Nimbostratus rankNimbostratus
    Jul 06, 2016

    In LDAPS ( 636 ) , must have a profile ssl server?

     

    This certificate can be the standard F5 ? Or you can use a CA signed server ?