Applies To:

Show Versions Show Versions

Manual Chapter: Securing an iSession Deployment
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

About iSession endpoint security

For a secure iSession deployment, you must use SSL encryption to secure the endpoints of the iSession connection. The default SSL profile settings on BIG-IP WOM Quick Start screen are sufficient to get WAN Optimization Manager up and running in a demo environment or for testing. F5 recommends that, to secure the WOM endpoints, you specify SSL profiles that use a WOM-specific root certificate (cert) from a trusted certificate authority (CA).

Task summary

The process of securing a WAN optimization deployment using SSL includes creating a cert for each BIG-IP WOM endpoint, and then specifying this cert (along with its associated key) in WOM-related profiles and settings on the system. Before you start this procedure, ensure that you have configured BIG-IP WOM on both sides of the WAN. This implementation is based on the default WOM settings, except where noted.

The following illustration shows the network setup. The example in this implementation uses the specified IP addresses.

  • The local endpoint IP address on the BIG-IP SiteA system is 1.1.1.1.
  • The local endpoint IP address on the BIG-IP SiteB system is 2.2.2.2.
Network topology for a secure iSession connection

Task list

Generating and importing SSL certificates for a secure iSession connection

You need to generate and import SSL certificates for a secure iSession connection.
  1. Generate a root certificate using external Certificate Authority (CA) software, such as the freeware program SimpleCA.
  2. Import the generated root certificate into both BIG-IP WOM systems (for example, BIG-IP SiteA and BIG-IP SiteB).
  3. On one of the BIG-IP systems, complete the following steps.
    1. On the Main tab, click Local Traffic > SSL Certificate List > Import.
    2. From the Import Type list, select Certificate.
    3. For the Certificate Name setting, click Create New, and type wom-root-ca.
    4. For the Certificate Source setting, either click Upload File and provide a file name by typing or browsing to the file, or click Paste Text, and paste the text copied from another source into the field.
    5. Click Import.
    6. Repeat these steps on the other BIG-IP system.
  4. Create a certificate and key on one of the BIG-IP systems (for example, BIG-IP SiteA).
    1. On the Main tab, click Local Traffic > SSL Certificate List.
    2. Click the Create button.
    3. In the Name field, type wom-endpoint.
    4. From the Issuer list, select Certificate Authority.
    5. In the Common Name field, type the IP address of the local endpoint for BIG-IP WOM, for example, 1.1.1.1.
    6. Provide any additional information required by your organization.
    7. Click Finished.
  5. On the Certificate Signing Request screen, copy or download the certificate signing request for the certificate created in the previous step, and use it to generate a signed certificate using your external CA and the CA certificate that you generated in step 1.
  6. Import the generated certificate into the BIG-IP WOM system (for example, BIG-IP SiteA).
    1. On the Main tab, click Local Traffic > SSL Certificate List.
    2. Click wom-endpoint (the certificate you created in step 4).
    3. Select the file wom-endpoint.crt.
    4. Click Import.
  7. Repeat steps 4-6 on the other BIG-IP system (for example, BIG-IP SiteB), but type 2.2.2.2 in the Common Name field on the New SSL Certificate screen.

Customizing SSL profiles for a secure iSession connection

To create custom SSL profiles to use for securing an iSession connection, follow these steps.
  1. On one of the BIG-IP WOM systems (for example, BIG-IP SiteA), create a new SSL server profile based on the parent profile serverssl.
    1. On the Main tab, click Local Traffic > Profiles > SSL > Server.
    2. From the Import Type list, select Certificate.
    3. For the Certificate Name setting, click Create New, and type wom-root-ca.
    4. Click the Create button.
    5. For the Certificate Source setting, either click Upload File and provide a file name by typing or browsing to the file, or click Paste Text, and paste the text copied from another source into the field.
    6. Click Import.
    7. Repeat these steps on the other BIG-IP WOM system.
  2. Create a certificate and key on one of the BIG-IP systems (BIG-IP SiteA in our example).
    1. On the Main tab, click Local Traffic > SSL Certificate List.
    2. Click the Create button.
    3. In the Name field, type wom-serverssl.
    4. From the Configuration field, select Advanced to display more options.
    5. For the Certificate setting, select the associated Custom check box (to override the default setting), and select wom-endpoint from the list.
    6. For the Key setting, select the associated Custom check box, and select wom-endpoint from the list.
    7. For the Server Certificate setting (near bottom of screen, select the associated Custom check box, and select require from the list.
    8. For the Trusted Certificates Authorities setting, select the associated Custom check box, and select wom-root-ca from the list.
    9. For the Frequency setting, select the associated Custom check box, and select always from the list.
    10. Click Finished.
  3. Update the configuration on the BIG-IP system (BIG-IP SiteA in our example) to refer to the new client SSL profile.
    1. On the Main tab, click WAN Optimization > Quick Start.
    2. From the Inbound iSession from WAN list, select wom-clientssl.
    3. Click Apply. Alternatively, you can use the iSession Listener screen settings to create an iSession listener that refers to wom-clientssl.
  4. Repeat steps 1-3 on the other BIG-IP WOM system (BIG-IP Site B in our example).

Configuring the remote endpoints for a secure iSession connection

To configure the remote endpoints using SSL profiles to secure the iSession connection, follow these steps.
  1. On the first BIG-IP system (for example, BIG-IP SiteA) create a new SSL server profile based on the parent profile wom-serverssl.
    1. On the Main tab, click Local Traffic > Profiles > SSL > Server.
    2. Click the Create button.
    3. In the Name box, type wom-serverssl-2.2.2.2.
    4. From the Parent Profile list, select wom-serverssl.
    5. In the Server Authentication area, for the Authenticate Name setting, select the associated Custom check box (to override the default setting), and type 2.2.2.2.
    6. Click Finished.
  2. On the first BIG-IP system (BIG-IP SiteA in our example), edit the remote endpoint settings.
    1. On the Main tab, click WAN Optimization > Remote Endpoints.
    2. In the IP Address column, click 2.2.2.2 to open the properties screen for that remote endpoint.
    3. For the Authentication and Encryption setting, select wom-serverssl-2.2.2.2.
    4. Click Update.
  3. On the second BIG-IP system (BIG-IP SiteB in our example), create a new SSL server profile based on the parent profile wom-serverssl.
    1. On the Main tab, click Local Traffic > Profiles > SSL > Server.
    2. Click the Create button.
    3. In the Name box, type wom-serverssl-1.1.1.1.
    4. From the Parent Profile list, select wom-serverssl.
    5. In the Server Authentication area, for the Authenticate Name setting, select the associated Custom check box (to override the default setting), and type 1.1.1.1.
    6. Click Finished.
  4. On the second BIG-IP system (BIG-IP SiteB in our example), edit the remote endpoint settings.
    1. On the Main tab, click WAN Optimization > Remote Endpoints.
    2. In the IP Address column, click 1.1.1.1 to open the properties screen for that remote endpoint.
    3. For the Authentication and Encryption setting, select wom-serverssl-1.1.1.1.
    4. Click Update.

Implementation result

After you complete the tasks in this implementation, you have secured the iSession endpoints of your WOM deployment. The iSession traffic is now secure. Next, you can encrypt data traffic with iSession, using either IPsec for all applications, or SSL on a per-applicaton basis.

Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)