Applies To:

Show Versions Show Versions

Manual Chapter: Configuring HTTPS Load Balancing
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

12 
When you want to load balance HTTPS traffic, you can configure the BIG-IP® system to perform the SSL handshake that target web servers normally perform. There are two types of SSL processing that you can configure. You can configure either type, or both. They are:
Client-side SSL
A common way to configure the BIG-IP system is to enable client-side SSL, which enables the system to decrypt client requests before sending them on to a server, and encrypt server responses before sending them back to the client. In this case, you need to install only one key/certificate pair on the system.
Server-side SSL
Another way to configure the BIG-IP system is to enable server-side SSL, which enables the system to encrypt requests that the BIG-IP system sends to the target web server, decrypt the response. In this case, you need to install a second key/certificate pair on the system (in addition to the key/certificate pair that you install for client-side SSL).
Then you can create a custom Client SSL profile, and optionally, a custom Server SSL profile. Client SSL and Server SSL profiles are traffic profiles that determine the way that the BIG-IP system processes client requests or server responses that are sent by way of a fully SSL-encapsulated protocol (in this case, HTTPS).
Finally, you must create a virtual server to process the HTTPS traffic, according to the settings you configured in the custom Client SSL and Server profiles.
For more detailed, background information on SSL certificates, SSL profiles, load balancing pools, and virtual servers, see the Configuration Guide for BIG-IP® Local Traffic Manager.
Before you can load balance HTTPS traffic, you must create one or more SSL keys and certificates to install onto the BIG-IP system. With SSL keys and certificates, and a custom Client SSL and optional Server SSL profile that you create, the BIG-IP system can perform the SSL handshaking normally performed by a target web server.
You can configure the BIG-IP system to terminate SSL traffic either by creating a self-signed certificate or by generating a request for a certificate signed by a trusted certificate authority.
1.
On the Main tab of the navigation pane, expand Local Traffic, and click SSL Certificates.
This displays a list of existing SSL certificates.
2.
On the upper-right corner of the screen, click Create.
This opens the New SSL Certificate screen.
Note: If the Create button is unavailable, this indicates that your user role does not grant you permission to create SSL certificates.
3.
In the Name box, type a name for the certificate, such as my_clientside_cert or my_serverside_cert.
4.
From the Issuer list, select Self.
5.
In the Common Name box, type either the IP address for the virtual server you will create later on, or a DNS name that resolves to the virtual servers IP address.
6.
In the Division box, type your company name.
7.
In the Organization box, type your department name.
8.
In the Locality box, type your city name.
9.
In the State or Province box, type your state or province name.
10.
From the Country list, select the name of your country.
11.
In the E-mail Address box, type your email address.
12.
In the Challenge Password box, type a password.
13.
In the Confirm Password box, re-type the password you typed in the Challenge Password box.
15.
Click Finished.
1.
On the Main tab of the navigation pane, expand Local Traffic, and click SSL Certificates.
This displays the SSL Certificates screen.
4.
In the Issuer box, select Certificate Authority.
5.
Configure the Common Name setting (required).
This value is embedded in a certificate for name-based authentication purposes.
a)
Specifying the key size (512, 1024, or 2048).
b)
8.
Click Finished.
This displays your certificate request.
Click the button in the Request File box.
10.
In the Certificate Authorities box, click a certificate authority name.
This displays the web site for the certificate authority.
11.
Follow the instructions on the web site for either pasting the copied request or attaching the generated request file.
12.
Click Finished.
The second task in configuring HTTPS load balancing on the BIG-IP system is to create a custom SSL profile. For client-side SSL processing, you create a custom Client SSL profile. For server-side SSL processing, you create a custom Server SSL profile.
An SSL profile is a group of settings that enable the BIG-IP system to perform decryption and encryption of SSL traffic. Some of the data you specify in a custom SSL profile are the names of any key and certificate you created in the previous task.
After you create a custom SSL profile, you create a load balancing pool, and then create a virtual server, assigning the custom profile to that virtual server.
1.
On the Main tab of the navigation pane, expand Local Traffic, and click Profiles.
2.
From the SSL menu, choose Client.
This displays a list of any existing Client SSL profiles, including the default profile clientssl.
3.
In the upper-right corner of the screen, click Create.
The New Client SSL Profile screen opens.
4.
In the Name box, type a name for the custom profile, such as my_clientssl_profile.
5.
Ensure that the Parent Profile setting is set to clientssl.
6.
For the Certificate setting, check the Custom box on the far right side of the screen.
7.
From the Certificate list, select the name of the certificate you created in the previous section.
Using our example, this name would be my_clientside_cert.crt.
8.
For the Key setting, check the Custom box on the far right side of the screen.
9.
From the Key list, select the name of the key you created in the previous section.
Using our example, this name would be my_clientside_cert.key.
10.
Click Finished.
1.
On the Main tab of the navigation pane, expand Local Traffic, and click Profiles.
2.
From the SSL menu, choose Server.
This displays a list of any existing Server SSL profiles, including the default profile serverssl.
3.
In the upper-right corner of the screen, click Create.
The New Server SSL Profile screen opens.
4.
In the Name box, type a name for the custom profile, such as my_serverssl_profile.
5.
Ensure that the Parent Profile setting is set to serverssl.
6.
For the Certificate setting, check the Custom box on the far right side of the screen.
7.
From the Certificate list, select the name of the certificate you created in the previous section.
Using our example, this name would be my_serverside_cert.crt.
8.
For the Key setting, check the Custom box on the far right side of the screen.
9.
From the Key list, select the name of the key you created in the previous section.
Using our example, this name would be my_serverside_cert.key.
10.
Click Finished.
The next task in this process is to create a load balancing pool to load balance connections. After you create the pool, you assign it to a virtual server that you create.
1.
On the Main tab of the navigation pane, expand Local Traffic, and click Pools.
The Pools screen opens.
2.
In the upper-right corner of the screen, click Create.
The New Pool screen opens.
Note: If the Create button is unavailable, this indicates that your user role does not grant you permission to create a pool.
3.
In the Name box, type a name for the pool, such as http_pool.
4.
For the Health Monitors setting, from the Available box select http, and click the Move button (<<) to move the monitor name to the Active box.
5.
For the New Members setting, add the pool members:
a)
Click the New Address option.
b)
In the Address box, type the IP address of a server in the pool.
c)
In the Service Port box, type 80, or select HTTP.
d)
Click Add.
6.
Click Finished.
The final task in configuring HTTPS load balancing is to define a virtual server that references the custom Client SSL profile and the load balancing pool that you created in previous tasks.
1.
On the Main tab of the navigation pane, expand Local Traffic, and click Virtual Servers.
The Virtual Servers screen opens.
2.
In the upper-right corner of the screen, click Create.
The New Virtual Server screen opens.
Note: If the Create button is unavailable, this indicates that your user role does not grant you permission to create a virtual server.
3.
In the Name box, type a name for the virtual server, such as vs_clientssl.
4.
In the Destination box, verify that the type of virtual server is Host, and in the Address box, type an IP address for the virtual server.
5.
In the Service Port box, type 443, or select HTTPS from the list.
7.
From the Client SSL Profile list, select the name of the custom Client SSL profile that you created previously. In our example, this name is my_clientssl_profile.
This assigns the custom Client SSL profile to the virtual server.
8.
If you created a custom Server SSL profile, then from the Server SSL Profile list, select the name of that profile. In our example, this name is my_serverssl_profile.
This assigns the custom Server SSL profile to the virtual server.
9.
In the Resources area of the screen, locate the Default Pool setting and select the pool name that you created in a previous section. Using our example, this would be http_pool.
10.
From the Default Persistence Profile list, select source_addr.
This implements the default profile for source address affinity persistence.
11.
Click Finished.
After you have created the required SSL key/certificate pairs, one or two custom SSL profiles, a load balancing pool, and a virtual server, you can test the configuration by attempting to pass SSL traffic through the virtual server to the pool.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)