test

Deployment Example 1: Access Manager 7.1 Load Balancing, Distributed Authentication UI, and Session Failover

ProcedureTo Configure SSL Termination on the Distributed Authentication User Interface Load Balancer

Secure Socket Layer (SSL) termination at Load Balancer 4 increases performance on the Access Manager level, and simplifies SSL certificate management. For example, because Load Balancer 4 sends unencrypted data internally neither the Access Manager server nor the Distributed Authentication User Interface has to perform decryption, and the burden on its processor is relieved. Clients send SSL-encrypted data to Load Balancer 4 which, in turn, decrypts the data and sends the unencrypted data to the appropriate Distributed Authentication User Interface. Load Balancer 4 also encrypts responses from the Distributed Authentication User Interface, and sends these encrypted responses back to the client. Towards this end, you create an SSL proxy, the gateway for decrypting HTTP requests and encrypting the reply.

Note –

Load Balancer 4 can intelligently load-balance a request based on unencrypted cookies. This would not be possible with SSL-encrypted cookies because Load Balancer 4 cannot read SSL-encrypted cookies.

Before You Begin

Before creating the SSL proxy, you should have a certificate issued by a recognized CA.

  1. Access https://is-f5.example.com, the BIG-IP load balancer login page, in a web browser.

  2. Log in using the following information:

    Username

    username

    Password

    password

  3. Click Configure your BIG-IP using the Configuration Utility.

  4. In the left pane, click Proxies.

  5. On the Proxies tab, click Add.

  6. In the Add Proxy dialog, provide the following information:

    Proxy Type:

    Check the SSL checkbox.

    Proxy Address:

    The IP address of Load Balancer 4, the Distributed Authentication User Interface load balancer.

    Proxy Service:

    9443

    The secure port number

    Destination Address:

    The IP address of Load Balancer 4, the Distributed Authentication User Interface load balancer.

    Destination Service:

    90

    The non-secure port number

    Destination Target:

    Choose Local Virtual Server.

    SSL Certificate:

    Choose LoadBalancer-4.example.com.

    SSL Key:

    Choose LoadBalancer-4.example.com.

    Enable ARP:

    Check this checkbox.

  7. Click Next.

  8. In the Rewrite Redirects field, choose All.

  9. Click Done.

    The new proxy server is now added to the Proxy Server list.

  10. Log out of the load balancer console.

  11. Access https://LoadBalancer-4.example.com:9443/distAuth/UI/Login?goto= https://LoadBalancer-3.example.com:9443 from a web browser.

    Tip –

    A message may be displayed indicating that the browser doesn't recognize the certificate issuer. If this happens, install the CA root certificate in the browser so that the browser recognizes the certificate issuer. See your browser's online help system for information on installing a root CA certificate.

  12. Log in to the Access Manager console as the administrator.

    Username

    amadmin

    Password

    4m4dmin1

    If you can successfully log in to Access Manager, the SSL certificate is installed and the proxy service is configured properly.

  13. Log out of Access Manager, and close the browser.