F5 BigIP – Setting up Virtual Server with SSL offload

 In this post we'll be setting up a VIP with a backend pool of three nodes. We have details of backend node IP addresses, which are given by developer team, and VIP address is allocated/secured by us. In our last post, we looked at F5 BigIP Initial Setup and Configuration. First thing first, so lets create an A record in DNS for application FQDN pointing to Virtual Server IP address.


To start on F5 BigIP, we'll create Nodes. Navigate to Local Traffic >> Nodes >> Create New Node. Add the server name and Address value in the respective fields.



After you add the all the backend nodes, you should be able to see the list of nodes in Nodes section




Next step is to create Pools of backend nodes. Navigate to Local Traffic >> Pools >> Create New Pool.
Add the Name of the pool, and add backend nodes to the pool that we added in in last step along with port and protocol. Also add the health monitor to be used to monitor the health of backend nodes, so that inactive nodes can be removed from the pool if health probe fails. Here I'm using default http health monitor, but custom health monitors can be created as per requirement. 
You also have the option to select the load balancing method to be used for forwarding traffic to backend nodes, by default Round Robin is selected.




Since we have to offload SSL on load balancer, we'll have to create a certificate signing request (CSR) that we can use to request certificate from a Certification Authority.
Navigate to System >> Certificate Management >> Traffic Certificate Management >> SSL Certificate List >> Create New SSL Certificate.
Add Name, Common Name and other details for generating a CSR. When we generate a CSR on BigIP, it automatically creates a private key for the certificate, there is no need to generate private key separately.




Once the CSR is created, copy the Request Text form the CSR




Next step is to login to Certification Authority portal to get a certificate. Paste the CSR text that we copied in above step to the CSR field in CA portal and create a certificate. You may have to perform additional steps in CA portal for verifying your domain if you are requesting certificate for the domain for the first time.




I received two certificates form the Certificate Authority. One is site certificate and another is CA bundle. CA bundle is used to establish trust of certificate issuing authority with root Certificate Authority which is trusted by end user systems.




Now again come back to F5 BigIP to upload the received certificates and navigate to System >> Certificate Management >> Traffic Certificate Managment >> SSL Certificate List >> certificate_name >> Import. Select the site certificate and upload it. 
Upload the CA_bundle certificate as well.




You can see the uploaded certificates in the SSL Certificate list page




Next step is to create an SSL profile where we'll call out these certificates that we just uploaded to F5 BigIP. Navigate to Local Traffic >> Profiles >> SSL >> Client >> Create New Client SSL Profile
Add Name of the profile, check the box in front for Certificate Key Chain and click on Add




Once you click on Add Certificate Key Chain, a pop up window will appear, prompting you to provide Certificate, Key and Chain value.
For the Certificate and key, select the certificate name (not common name) that we created few steps back. For Chain, select the CA_bundle name. Note that even though we did not create private key separately for the certificate, we still see key for the certificate in the dropdown. This is because when we generate CSR in F5 BigIP, a key is automatically generated for the certificate.




Next step is to create Virtual Server for the application. Navigate to Local Traffic >> Virtual Server >> Virtual Server List >> Create New Virtual Server.
In the General Properties section, add the Name, IP address (accessible to end users), Service Port and protocol.
In Configuration section, scroll down to SSL profile (Client) field and select the SSL profile name that we created in above step. In the VLAN and Tunnel Traffic field, select All VLANs and Tunnels and update the Source Address Translation field to Auto Map. Auto Map translation will change the source IP address in forwarded packet to backend node to self IP address, so that backend node sends the return traffic back to F5 BigIP instead of sending it to its gateway.
Scroll down to the Resources section and select the Default Pool to the pool that we created in above step. This will let the Virtual Server know to which backend nodes it has to forward traffic.





Now, open a browser and open the application using its FQDN. You can see that website is opening using SSL and you can also verify the certificate details by clicking the lock icon in the address bar of the browser.







Comments

Popular posts from this blog

Anyconnect SSL-Client VPN with Self-signed Certificate on Cisco ASA

Filtering Routes in BGP using Route-maps and Prefix-list

Open Shortest Path First (OSPF)

IKEv2 IPsec Site-to-Site VPN configuration on Cisco ASA 8.4(x)

IPsec VPN as a Backup for Point-to-Point Link using IP SLA

Border Gateway Protocol (BGP)

Cisco ASA Active/Active Failover Configuration

Bypassing Proxy Server in Google Chrome

Cisco ASA Active/Standby Failover Configuration