For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Lightspeed_VT_5's avatar
Lightspeed_VT_5
Icon for Nimbostratus rankNimbostratus
Apr 21, 2008

Terminiating multiple SSL certs on LTM on different ports

I did a cursory search of this question in this forum and didn't find an exact answer to this question.

 

 

Currently I have 4 nodes that belong to an HTTP pool on port 80. These same 4 nodes belong to an HTTPS pool on port 443.

 

 

It is necessary to terminate 4 more SSL certificates on the LTM and direct traffic on different ports (i.e. ports 444,445,446,447).

 

 

I am anticipating setting up 4 more pools of which the 4 nodes mentioned above are members.

 

 

I'm using persistent sessions on port 80, but not for the secured ports.

 

 

Is it possible to do something like this? What would be the best way to do so?

 

 

TIA
config
design

4 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Apr 22, 2008
    Can you add some detail to the scenario? Do you have a single virtual server set up for each SSL certificate/key pair? Do the web servers host content for multiple applications that are being load balanced?

     

     

    Aaron
  • Lightspeed_VT_5's avatar
    Lightspeed_VT_5
    Icon for Nimbostratus rankNimbostratus
    Apr 22, 2008
    There are a dozen or so applications/websites on the servers, but only 4 or 5 will need an HTTPS connection.

     

     

    The webserver is IIS 6, so only one SSL cert per port can exist. Since typing myapplication.com:444 isn't practical, I was hoping to install all the certs on the LTM.

     

     

    Currently, only one virtual server is being used, but this can change as necessary.

     

     

    So I would need to create a virtual server, pool and profile for each domain with a cert installed?

     

     

     

     

  • Lightspeed_VT_5's avatar
    Lightspeed_VT_5
    Icon for Nimbostratus rankNimbostratus
    Apr 23, 2008
    I'm not sure that would work in this case, as the dozen applications are on LB servers that resolve to the same IP address. I just want to make sure that if I install all the certs on the LTM, that the traffic will get delivered to the right application on the right port.
  • Lightspeed_VT_5's avatar
    Lightspeed_VT_5
    Icon for Nimbostratus rankNimbostratus
    May 14, 2008
    Ok, picking this back up after awhile...

     

     

    I set things up as suggested--create a VS > Pool > Node combination for both port 80 and port 448 (chosen post for SSL) for the new cert and application. HTTP traffic works fine, but HTTPS traffic gives "Page cannot be displayed".

     

     

    When I look at the Pool stats, I see packets coming in, but not going back out. NETSTAT on web server show traffic to the BigIP self-ip in TIME-WAIT status.

     

     

    Something between the Virtual Server and the web server aren't translating....