| My Support

Applies To:

Show Versions Show Versions
Manual Chapter: Securing an iSession Deployment
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Overview: Securing an iSession deployment

For a secure iSession deployment, you must use SSL encryption to secure the endpoints of the iSession connection. The default SSL profile settings on BIG-IP acceleration Quick Start screen are sufficient to get symmetric optimization up and running in a demo environment or for testing. F5 recommends that, to secure the endpoints, you specify SSL profiles that use a symmetric optimization-specific root certificate (cert) from a trusted certificate authority (CA).

This illustration shows the network setup for a secure iSession deployment. The example in this implementation uses the specified IP addresses.

  • The local endpoint IP address on the BIG-IP SiteA system is 1.1.1.1.
  • The local endpoint IP address on the BIG-IP SiteB system is 2.2.2.2.
Network topology for a secure iSession connection

Task summary

The process of securing an iSession deployment using SSL includes creating a cert for each iSession endpoint, and then specifying this cert (along with its associated key) in acceleration-related profiles and settings on the system. Before you start this procedure, ensure that you have configured the BIG-IP system on both sides of the WAN. This implementation is based on the default acceleration settings, except where noted.

Task list

Generating and importing SSL certificates for a secure iSession connection

You need to generate and import SSL certificates for a secure iSession connection.
  1. Generate a root certificate using external Certificate Authority (CA) software, such as the freeware program SimpleCA.
  2. Import the generated root certificate into both BIG-IP systems (for example, BIG-IP SiteA and BIG-IP SiteB).
  3. On one of the BIG-IP systems, complete the following steps.
    1. On the Main tab, click System > File Management > SSL Certificate List > Import.
    2. From the Import Type list, select Certificate.
    3. For the Certificate Name setting, click Create New, and type wom-root-ca.
    4. For the Certificate Source setting, either click Upload File and provide a file name by typing or browsing to the file, or click Paste Text, and paste the text copied from another source into the field.
    5. Click Import.
    6. Repeat these steps on the other BIG-IP system.
  4. Create a certificate and key on one of the BIG-IP systems (for example, BIG-IP SiteA).
    1. On the Main tab, click System > File Management > SSL Certificate List.
    2. Click the Create button.
    3. In the Name field, type wom-endpoint.
    4. From the Issuer list, select Certificate Authority.
    5. In the Common Name field, type the IP address of the local endpoint for the BIG-IP, for example, 1.1.1.1.
    6. Provide any additional information required by your organization.
    7. Click Finished.
  5. On the Certificate Signing Request screen, copy or download the certificate signing request for the certificate created in the previous step, and use it to generate a signed certificate using your external CA and the CA certificate that you generated in step 1.
  6. Import the generated certificate into the BIG-IP system (for example, BIG-IP SiteA).
    1. On the Main tab, click System > File Management > SSL Certificate List.
    2. Click wom-endpoint (the certificate you created in step 4).
    3. Select the file wom-endpoint.crt.
    4. Click Import.
  7. Repeat steps 4-6 on the other BIG-IP system (for example, BIG-IP SiteB), but type 2.2.2.2 in the Common Name field on the New SSL Certificate screen.

Customizing SSL profiles for a secure iSession connection

To create custom SSL profiles to use for securing an iSession connection, follow these steps.
  1. On one of the BIG-IP systems (for example, BIG-IP SiteA), create a new SSL client profile based on the parent profile clientssl.
    1. On the Main tab, click Local Traffic > Profiles > SSL > Client.
    2. Click the Create button.
    3. In the Name field, type wom-clientssl.
    4. From the Configuration list, select Advanced to display more options.
    5. For the Certificate setting, select the associated Custom check box (to override the default setting), and select wom-endpoint from the list.
    6. For the Key setting, select the associated Custom check box, and select wom-endpoint from the list.
      SSL Client Profile Certificate and Key settings
    7. In the Client Authentication area (near bottom of screen), for the Client Certificate setting, select the associated Custom check box, and select require from the list.
    8. For the Frequency setting, select the associated Custom check box, and select always from the list.
    9. For the Trusted Certificates Authorities setting, select the associated Custom check box, and select wom-root-ca from the list.
    10. For the Advertised Certificates Authorities setting, select the associated Custom check box, and select wom-root-ca from the list.
      SSL Client Profile Authentication settings
    11. Click Finished.
  2. Update the configuration on the BIG-IP system (BIG-IP SiteA in our example) to refer to the new client SSL profile.
    1. On the Main tab, click Acceleration > Quick Start.
    2. From the Inbound iSession from WAN list, select wom-clientssl.
      Quick Start screen with Authentication setting highlighted
    3. Click Apply. Alternatively, you can use the iSession Listener screen settings to create an iSession listener that refers to wom-clientssl.
  3. Repeat steps 1-2 on the other BIG-IP system (BIG-IP SiteB in our example).

Configuring the remote endpoints for a secure iSession connection

To configure the remote endpoints using SSL profiles to secure the iSession connection, follow these steps.
  1. On the first BIG-IP system (for example, BIG-IP SiteA) create a new SSL server profile based on the parent profile serverssl.
    1. On the Main tab, click Local Traffic > Profiles > SSL > Server.
    2. Click the Create button.
    3. In the Name box, type wom-serverssl-2.2.2.2.
    4. From the Parent Profile list, select serverssl.
    5. From the Configuration list, select Advanced to display more options.
    6. For the Certificate setting, select the associated Custom check box (to override the default setting), and select wom-endpoint from the list.
    7. For the Key setting, select the associated Custom check box, and select wom-endpoint from the list.
      SSL Server Profile Certificate and Key settings
    8. In the Server Authentication area, for the Server Certificate setting, select the associated Custom check box, and select require from the list.
    9. For the Frequency setting, select the associated Custom check box, and select always from the list.
    10. For the Authenticate Name setting, select the associated Custom check box, and type 2.2.2.2.
    11. For the Trusted Certificates Authorities setting, select the associated Custom check box, and select wom-root-ca from the list.
      SSL Server Profile Authentication settings
    12. Click Finished.
  2. On the first BIG-IP system (BIG-IP SiteA in our example), edit the remote endpoint settings.
    1. On the Main tab, click Acceleration > Symmetric Optimization > Remote Endpoints.
    2. In the IP Address column, click 2.2.2.2 to open the properties screen for that remote endpoint.
    3. For the Authentication and Encryption setting, select wom-serverssl-2.2.2.2.
      Remote Endpoints Properties screen with Authentication setting highlighted
    4. Click Update.
  3. On the second BIG-IP system (BIG-IP SiteB in our example), create a new SSL server profile based on the parent profile serverssl.
    1. On the Main tab, click Local Traffic > Profiles > SSL > Server.
    2. Click the Create button.
    3. In the Name box, type wom-serverssl-1.1.1.1.
    4. From the Parent Profile list, select serverssl.
    5. From the Configuration list, select Advanced to display more options.
    6. For the Certificate setting, select the associated Custom check box (to override the default setting), and select wom-endpoint from the list.
    7. For the Key setting, select the associated Custom check box, and select wom-endpoint from the list.
    8. In the Client Authentication area, for the Server Certificate setting, select the associated Custom check box, and select require from the list.
    9. For the Frequency setting, select the associated Custom check box, and select always from the list.
    10. For the Authenticate Name setting, select the associated Custom check box, and type 1.1.1.1.
    11. For the Trusted Certificates Authorities setting, select the associated Custom check box, and select wom-root-ca from the list.
    12. Click Finished.
  4. On the second BIG-IP system (BIG-IP SiteB in our example), edit the remote endpoint settings.
    1. On the Main tab, click Acceleration > Symmetric Optimization > Remote Endpoints.
    2. In the IP Address column, click 1.1.1.1 to open the properties screen for that remote endpoint.
    3. For the Authentication and Encryption setting, select wom-serverssl-1.1.1.1.
    4. Click Update.

Implementation result

After you complete the tasks in this implementation, you have secured the iSession endpoints of your symmetric deployment. The iSession traffic is now secure. Next, you can encrypt data traffic with iSession, using either IPsec for all applications, or SSL on a per-application basis.

Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.

Additional Comments (optional)

About F5

Education

F5 Sites

Support Tasks

Connect with us

© Copyright 2018 by F5 Networks, Inc. | Policies | Privacy | Trademarks