Applies To:

Show Versions Show Versions

Manual Chapter: Securing Your WAN Optimization
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

You can use the default SSL profile settings to get your WAN Optimization Modules up and running in a demo environment or for testing. This section describes how to secure your WAN Optimization Modules for production.
If you want to encrypt traffic over the WAN through the iSession connection, we recommend that you specify SSL profiles that use a WOM-specific root certificate (cert) from a trusted certificate authority (CA).
The process of securing your WAN optimization deployment includes creating a cert for each WAN Optimization Module endpoint, and then specifying this cert (along with its associated key) in WOM-related profiles and settings on the BIG-IP® system.
2.
a)
Generate the key, and certificate request on the BIG-IP system.
The CA uses the certificate request to generate the WOM endpoint-specific cert, signed using the WOM specific root cert.
3.
For an example of this process, see Implementing a secure iSession connection. For more detailed information about generating and managing SSL certificates on the BIG-IP system, refer to the Configuration Guide for BIG-IP® Local Traffic Manager.
After you have secured your WAN optimization deployment, you can enable and disable data encryption for application traffic, as needed.
Figure 4.1, following, shows the topology for this example.
The following procedure starts after the WAN Optimization modules on both sides of the WAN have already been configured with the default settings.
1.
Using external CA software, such as the freeware program SimpleCA, generate a root certificate.
2.
Import the generated root cert into the BIG-IP SiteA and BIG-IP SiteB systems. On one of the BIG-IP systems, complete the following steps:
a)
On the Main tab of the navigation pane, expand Local Traffic, point to SSL Certificates, and click Import.
b)
From the Import Type list, select Certificate.
c)
For the Certificate Name setting, type wom-root-ca.
d)
For the Certificate Source setting, select the option that meets your criteria:
 
Click Upload File, and either type a file name or click Browse and select a file.
 
Click Paste Text, copy the text from another source, and paste the text into the Certificate Source window.
e)
Click Import.
a)
On the Main tab of the navigation pane, expand Local Traffic, and click SSL Certificates.
b)
Click the Create button.
c)
In the Name box, type wom-endpoint.
d)
From the Issuer list, select Certificate Authority.
e)
In the Common Name box, type 1.1.1.1.
g)
Click Finished.
4.
On the Certificate Signing Request screen, copy or download the certificate signing request for the certificate created in the previous step, and use it to generate a signed cert using your external CA and CA cert from step 1.
a)
On the Main tab of the navigation pane, expand Local Traffic, and click SSL Certificates.
a)
Click wom-endpoint.
b)
Select the file wom-endpoint.crt.
c)
Click Import.
6.
Repeat steps 3-5 on BIG-IP SiteB, typing 2.2.2.2 in the Common Name box on the New SSL Certificate screen.
a)
On the Main tab of the navigation pane, expand Local Traffic, point to Profiles, point to SSL, and click Server.
b)
Click the Create button.
c)
In the Name box, type wom-serverssl.
d)
From the Configuration list, select Advanced to show more options.
e)
For the Certificate setting, check the box in the Custom column (to override the default setting), and select wom-endpoint from the list.
f)
For the Key setting, check the box in the Custom column, and select wom-endpoint from the list.
g)
For the Trusted Certificate Authorities setting, check the box in the Custom column, and select wom-root-ca.
h)
For the Server Certificate setting (near the bottom of the screen), check the box in the Custom column, and select require.
i)
For the Frequency setting, check the box in the Custom column, and select always.
j)
Click the Finished button.
2.
a)
On the Main tab of the navigation pane, expand Local Traffic, point to Profiles, point to SSL, and click Client.
b)
Click the Create button.
c)
In the Name box, type wom-clientssl.
d)
From the Configuration list, select Advanced to show more options.
e)
For the Certificate setting, check the box in the Custom column (to override the default setting), and select wom-endpoint from the list.
f)
For the Key setting, check the box in the Custom column, and select wom-endpoint from the list.
g)
For the Trusted Certificate Authorities setting, check the box in the Custom column, and select wom-root-ca.
h)
For the Client Certificate setting (at the bottom of the screen), check the box in the Custom column, and select require.
i)
For the Frequency setting, check the box in the Custom column, and select always.
j)
For the Advertised Certificate Authorities setting, check the box in the Custom column, and select wom-root-ca.
k)
Click the Finished button.
3.
Update the configuration on BIG-IP SiteA to refer to the new profiles by using one of the following methods:
a)
On the Main tab of the navigation pane, expand WAN Optimization, and click Quick Start.
b)
From the Inbound iSession from WAN list, select wom-clientssl.
c)
Click the Apply button.
a)
On the Main tab of the navigation pane, expand WAN Optimization, point to Local Endpoint, and click iSession Listeners.
b)
Click the Create button.
c)
From the Authentication and Encryption list, select wom-clientssl.
d)
Fill in the remaining information, as required.
For descriptions of the settings, refer to the online help.
e)
Clicked the Finished button.
a)
On the Main tab of the navigation pane, expand WAN Optimization, point to Local Endpoint, and click iSession Listeners.
b)
In the Name column, click the name of the iSession listener to open the properties screen for that virtual server.
c)
In the Configuration area of the screen, scroll down, and From the SSL Profile (Client) list, select wom-clientssl.
d)
Click the Update button.
a)
On the Main tab of the navigation pane, expand Local Traffic, point to Profiles, point to SSL, and click Server.
b)
Click the Create button.
c)
In the Name box, type wom-serverssl-2.2.2.2.
d)
From the Parent Profile list, select wom-serverssl.
e)
For the Authenticate Name setting (at the bottom of the screen), check the box in the Custom column, and type 2.2.2.2.
f)
Click the Finished button.
a)
On the Main tab of the navigation pane, expand WAN Optimization, and click Remote Endpoints.
b)
In the IP Address column, click 2.2.2.2 to open the properties screen for that remote endpoint.
c)
For the Authentication and Encryption setting, select wom-serverssl-2.2.2.2.
d)
Click the Update button.
a)
On the Main tab of the navigation pane, expand Local Traffic, point to Profiles, point to SSL, and click Server.
b)
Click the Create button.
c)
In the Name box, type wom-serverssl-1.1.1.1.
d)
From the Parent Profile list, select wom-serverssl.
e)
For the Authenticate Name setting (at the bottom of the screen), check the box in the Custom column, and type 1.1.1.1.
f)
Click the Finished button.
a)
On the Main tab of the navigation pane, expand WAN Optimization, and click Remote Endpoints.
b)
In the IP Address column, click 1.1.1.1 to open the properties screen for that remote endpoint.
c)
For the Authentication and Encryption setting, select wom-serverssl-1.1.1.1.
d)
Click the Update button.
After you complete the process described in the preceding pages, the result should provide authenticated and encrypted connections between the WAN Optimization Module endpoints in your network configuration.
For application data that was not originally encrypted, you can choose to encrypt the iSession connection for additional security over the WAN, as follows:
 
Make sure the Application Data Encryption setting on the Quick Start screen is Enabled. For details about the Quick Start screen, refer to the BIG-IP® WAN Optimization Module: Quick Setup.
 
Make sure the iSession profile associated with the optimized application virtual server on the outbound connection has the Application Data Encryption setting Enabled. One example is the system-provided isession-encrypt profile. For details about creating an iSession profile, see Customizing the iSession profile.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)