Forum Discussion
As mentioned in my previous answer, it is important to setup the https monitoring properly.
It might happen, that your (bigd) https monitor marks the poolmember as up while the (tmm) traffic breaks.
This comes by the default monitoring behaviour (handled by bigd) which is not validating the server (poolmember) certificates, even if you assign a specific serverssl profile.
Please make sure to enable the In-TMM monitoring for proper server cert validation.
Thanks for this information Stephan. I was not aware of this either. I will read through the link you provided and get this implemented.
However, based on the standard configuration of our VIPs on the BigIP (that I listed in my last reply), are we still doing end to end encryption? I am concerned because currently, we dont add the self-signed certificate to the BIG-IP's "Trusted Certificate Authorities". And from what Rodrigo_Albuque mentioned it means that the self signed cert is not trusted. Therefore is our traffic from the BigIP to our Pool members secure?
- Jul 14, 2022
I guess, you don´t have activated the setting of Server Authentication : Server Certificate == require in your serverssl profile. So the ca-bundle.crt in the Trusted Certificate Authorities setting will be simply ignored.
It would be required to add the self signed server certificates to a certificate bundle and use it at Trusted Certificate Authorities. If you now modify Server Authentication : Server Certificate from "ignore" (default) to "require" you should be safe.