Forum Discussion

boommen_197293's avatar
boommen_197293
Icon for Nimbostratus rankNimbostratus
May 15, 2015

Regarding client and server side offloading

Hey all,

 

Here's the configuration I need to get working:

 

WebPortal{443} (not on load balancer) -> VS{443} -> nodes{443}

 

due to client requirements, the nodes must serve up content on 443. I would like the load balancer to handle SSL offloading, so i have a standard VS setup with client and server side SSL profiles. I am confused on the server side offloading portion.

 

Let's say my VS would be devsite.com. I would generate a client side cert with a CN of devsite.com, but when generating the server side CSR, does the CN need to match that, or can it be named anything i choose? What also throws me off is that the node itself will have a cert, but based on my config above, does that cert go unused?

 

Hope this makes sense, and thanks for your help

 

  • but when generating the server side CSR, does the CN need to match that, or can it be named anything i choose?

     

    certificate/key in serverssl profile is used when pool member does client certificate authentication (bigip acts as client to pool member). in short, you should not need it and can set certificate/key to none.

     

    sol14806: Overview of the Server SSL profile (11.x)

     

    https://support.f5.com/kb/en-us/solutions/public/14000/800/sol14806.html

     

  • but when generating the server side CSR, does the CN need to match that, or can it be named anything i choose?

     

    certificate/key in serverssl profile is used when pool member does client certificate authentication (bigip acts as client to pool member). in short, you should not need it and can set certificate/key to none.

     

    sol14806: Overview of the Server SSL profile (11.x)

     

    https://support.f5.com/kb/en-us/solutions/public/14000/800/sol14806.html

     

    • boommen_197293's avatar
      boommen_197293
      Icon for Nimbostratus rankNimbostratus
      Thanks for the reply nitass, when i set the cert and key to none, my connection fails. I must be configuring something incorrectly. Your response does help me understand the server side role better though
  • but when generating the server side CSR, does the CN need to match that, or can it be named anything i choose?

     

    certificate/key in serverssl profile is used when pool member does client certificate authentication (bigip acts as client to pool member). in short, you should not need it and can set certificate/key to none.

     

    sol14806: Overview of the Server SSL profile (11.x)

     

    https://support.f5.com/kb/en-us/solutions/public/14000/800/sol14806.html

     

    • boommen_197293's avatar
      boommen_197293
      Icon for Nimbostratus rankNimbostratus
      Thanks for the reply nitass, when i set the cert and key to none, my connection fails. I must be configuring something incorrectly. Your response does help me understand the server side role better though
    • nitass's avatar
      nitass
      Icon for Employee rankEmployee
      you may try tcpdump/ssldump to see what the wrong is.