Forum Discussion
NimbostratusSSL Load balancing
Hi , Can we configure SSL Load balacing without Configuring SSL Offloading ??
We are trying to configure Exchange 2010 load balacing through F5 . We dont have third party trusted CA certificate ? So we used big ip self signed certificated for clientssl for ssl offloading for OWA servding ice ?
- My question is will this f5 default certificate will work in OWA Service ?
- if it does not work can we configure OWA without ssl offloading at BIG IP ? ssl offloading will be taken care by exchange .in that case what is the best practice for persistance
regds..indrajit
2 Replies
- Kevin_Stewart
Employee
You can certainly pass the SSL directly through the F5 to the application, but in the absence of any exposed layer 7 data, your persistence options are mostly limited to source address and SSL sessionID persistence. The former may be difficult to achieve in larger, potentially NATted environments, and the latter may be even more challenging with browser agents that continually renegotiate their SSL sessions.
The absolute best practice is going to be SSL offloading at the F5. You don't technically need to re-encrypt to the servers, but you definitely can. The certificate that you provide in the client SSL profile will be the certificate presented to the user in an SSL negotiation, so the default F5 certificate should work, but expect to get a certificate warning in the browser.
- Kevin_Stewart
That means with default F5 certificate if i configure client ssl profile the OWA/Imap/pop3 services will work with certificate warning . Right .
Correct.
If the CSR will be signed by Third party then this issue can be resolved.
If the name requested by the client is the subject (or SAN) name in the server certificate presented, the certificate is not expired, and the client explicitly trusts this certificate and its issuer, then you will not get a certificate warning.
