Deployment Example 1: Access Manager 7.0 Load Balancing, Distributed Authentication UI, and Session Failover

ProcedureTo Configure SSL Termination on the Distributed Authentication UI Load Balancer

In this deployment example, Secure Socket Layer (SSL) termination at Load Balancer 4 increases the performance at the server level, and simplifies SSL certificate management. Clients will access Load Balancer 4 using SSL-encrypted data. Load Balancer 4 decrypts the data and then sends the unencrypted data on to the Access Manager server. The Access Manager server or Authentication UI server does not have to perform decryption, and the burden on its processor is relieved. Load Balancer 3 then load-balances the decrypted traffic to the appropriate Access Manager server. Finally, Load Balancer 34encrypts the responses from server, and sends encrypted responses to the client.

In this deployment example, an SSL certificate is required only at the Load Balancer 4, and not required for each Access Manager server. This simplifies SSL certificate management. Load Balancer 4 can intelligently load-balance a request based on unencrypted cookies. This would not be possible with SSL-encrypted cookies because Load Balancer 4 cannot read SSL-encrypted cookies.

In this deployment example, you set up a proxy server using BIG-IPTM hardware and software.

  1. Configure the new proxy service.

    1. Log in to the BIG-IP load balancer using the following information:





    2. Click the link “Configure your BIG-IP using the Configuration Utility.”

    3. In the load balancer console, in the left pane, click Proxies.

    4. On the Proxies tab, click Add.

    5. In the Add Proxy dialog, provide the following information:

      Proxy Type:

      Check the SSL checkbox.

      Proxy Address:

      xxx.xx.69.14 (The IP address of Load Balancer 3, the Access Manager server load balancer.)

      Proxy Service:

      9443 (The port number of the new proxy you are setting up.)

      Destination Address:


      Destination Service:


      Destination Target:

      Choose Local Virtual Server.

      SSL Certificate:


      SSL Key:


      Enable ARP:

      Check this checkbox.

    6. Click Next.

    7. In the Rewrite Redirects field, choose All.

    8. Click Done.

      The new proxy server is now added to the Proxy Server list.

  2. Verify that you can access the Access Manager server using the new proxy server port number.

    1. Open a browser, and go to the following URL:

      Tip –

      You may see a message indicating that the Access Manager server doesn't recognize the certificate issuer. When this happens, install the root Certificate Authority certificate in the browser so that the browser recognizes the certificate issuer. See your browser's online help system for information on installing a root CA certificate.

      1. Log in to the Access Manager console using the following information:





        If you can successfully log in to Access Manager 1, then the SSL certificate is installed properly and proxy service is configured properly.

    2. Log out of Access Manager, and close the browser.