In this deployment example, Secure Socket Layer (SSL) termination at Load Balancer 4 increases the performance at the server level, and simplifies SSL certificate management. Clients will access Load Balancer 4 using SSL-encrypted data. Load Balancer 4 decrypts the data and then sends the unencrypted data on to the Access Manager server. The Access Manager server or Authentication UI server does not have to perform decryption, and the burden on its processor is relieved. Load Balancer 3 then load-balances the decrypted traffic to the appropriate Access Manager server. Finally, Load Balancer 34encrypts the responses from server, and sends encrypted responses to the client.
In this deployment example, an SSL certificate is required only at the Load Balancer 4, and not required for each Access Manager server. This simplifies SSL certificate management. Load Balancer 4 can intelligently load-balance a request based on unencrypted cookies. This would not be possible with SSL-encrypted cookies because Load Balancer 4 cannot read SSL-encrypted cookies.
In this deployment example, you set up a proxy server using BIG-IPTM hardware and software.
Configure the new proxy service.
Log in to the BIG-IP load balancer using the following information:
username
password
Click the link “Configure your BIG-IP using the Configuration Utility.”
In the load balancer console, in the left pane, click Proxies.
On the Proxies tab, click Add.
In the Add Proxy dialog, provide the following information:
Check the SSL checkbox.
xxx.xx.69.14 (The IP address of Load Balancer 3, the Access Manager server load balancer.)
9443 (The port number of the new proxy you are setting up.)
xxx.xx.69.14
90
Choose Local Virtual Server.
Choose LoadBalancer-4.example.com.
Choose LoadBalancer-4.example.com.
Check this checkbox.
Click Next.
In the Rewrite Redirects field, choose All.
Click Done.
The new proxy server is now added to the Proxy Server list.
Verify that you can access the Access Manager server using the new proxy server port number.
Open a browser, and go to the following URL:
https://LoadBalancer-4.example.com:9443/distAuth/UI/Login?goto= https://LoadBalancer-3.example.com:9443/amserver/UI/Login
You may see a message indicating that the Access Manager server doesn't recognize the certificate issuer. When this happens, install the root Certificate Authority certificate in the browser so that the browser recognizes the certificate issuer. See your browser's online help system for information on installing a root CA certificate.
Log out of Access Manager, and close the browser.