SharePoint Server with SSL Offloading Configuration Issue

Bernard, you mention that you are leveraging the BIG-IP's SSL offloading functionality, which will send the traffic to the SharePoint front ends unencrypted. However you also mention that you are using the HTTPS monitor.

 

 

If you are using the BIG-IP to decrypt the SSL traffic, then you probably want to use the HTTP monitor instead of the HTTPS. Using an HTTPS monitor against an HTTP service will fail.

 

 

Now when you do connect to the Virtual Server via HTTPS, are you getting the SSL certificate presented to you?

 

Hi,

 

 

Thanks for your precious reply because I really needed help to get the sharepoint up and running asap.

 

 

Let me explain myself clearly.

 

 

I have created a pool named Sharept_pool with 2 member servers by the IPs 10.10.0.71 port 443 and 10.10.0.72 port 443. I configured Round Robin and gateway_icmp as health monitor for this pool.

 

 

I have created a virtual server named Sharept_vs which uses the Sharept_pool. The sharept_vs has an IP of 10.10.0.74 port 443. I used the default tcp, http and clientssl profile. I enabled Auto Map for SNAT Pool. I used default cookie for default persistency.

 

 

What I'm trying to achieve is:

 

 

The 2 SharePoint servers will be on round robin using Big-IP. Client HTTPS (SSL) connection to the SharePoint will be terminated at Big-IP and connection between Big-IP and the 2 physical SharePoint servers will be just HTTP.

 

 

When I try to connect to the SharePoint from a client, I type https://10.10.0.74/sharepoint, it shows that the page is not found.

 

 

I try to create a test named SharePointTest_vs and SharePointTest_pool using HTTP instead of HTTPS. When I try to connect to this test site http://10.10.0.74/sharepoint, it shows me a SharePoint login page. After login, it shows that the page is not found.

 

 

Hope my explanation is clear enough for you or someone who read this to help me.

 

 

 

Appreciate any help given. Thanks.

 

Bernard

Hi,

 

 

Thanks for all the valuable support. I managed to access the SharePoint now.

 

 

But I have another question to ask:

 

 

I have purchased 1 SSL certificate for the SharePoint virtual server on the F5. I intend to import the certificate into the F% big-ip. My customer told me that they will like to configure their 2 SharePoint servers to listen on HTTPS traffic instead.

 

 

I have been thinking about this new requirement, I think the customer will be required to buy 2 more certificates for each of the 2 SharePoint front-end servers.

 

 

But someone told me that I can first import the certificate that I purchased into F5, then export it out and reuse it on the 2 SharePoint front-end servers. In this case, I won't need to purchase additional certificate, thus saving on cost.

 

 

Can someone kindly advise me on this?

 

 

Appreciate your generous help, I believe there are other who may have also benefit from the answer you folks gave me.

 

 

Thanks once again,

 

Bernard

Bernard, as long as the SharePoint servers are configured to use the same hostname as was assigned to the certificate, there is nothing technically* that stops you from putting the same certificate on the BIG-IP and the SharePoint servers. You may not have to do any exporting or cert manipulation do accomplish this.

 

 

* I only put this caveat here because it is worth mentioning. Some certificate authorities believe that a certificate is valid only for a single server, and using it for more than one server is a violation of the usage rights. They would like you to purchase a cert for every server. I would read up on the user license that applies to the cert you bought from the CA to find out if this is the case for you or not.

 

 

By the way, what is the customer's end goal? It sounds like they do not want to terminate the SSL on the BIG-IP at all, and just load balance the encrypted traffic untouched. Is this the case? If so, you shouldn't need to load the cert on the BIG-IP. The only reason you would want the cert on the BIG-IP & the servers is if you intended to terminate the SSL, and then re-encrypt it before it was sent to the servers. Some customers do this as it gives them the option to inspect the traffic on the BIG-IP, however the traffic is never unencrypted on the wire.

 

 

Regards

 

Ryan

 

Hi,

 

 

How to verify if my SSL certificate is installed properly?

 

 

Thanks,

 

Bernard