cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
736
Views
0
Helpful
4
Replies

Dual Active Active WSA Load balanced by F5 LTM.

Hi Everyone,

We want to setup two WSA Web security Appliances, behind an F5 LTM load balancer.  (See the attachment)  The F5 load balancer will not handle the SSL certificate as it is listening on port 8080.  This traffic will then be sent to the WSA devices.  How should we handle the SSL inspection? what are the certificates to be used?  Should it be setup as one certificate (with the Common Name and two SAN for each device name)  and this certificate added to each WSA?

your thoughts?

Rockmaster

1 Accepted Solution

Accepted Solutions

I'm assuming you're using explicit forwarding and need to balance load as well as failover...

Because if one WSA can do it, you could use the built in failover capabilities.

If you use the F5, make it transparent, it handles nothing but which wsa gets a specific flow. You need session persistence enabled.

The WSAs need their own cert... we issue a intermediate CA siging cert off of our internal CA for this, because that's what the WSA is doing... issuing a certs for websites you're decrypting for the internal connection, on the fly.

View solution in original post

4 Replies 4

I'm assuming you're using explicit forwarding and need to balance load as well as failover...

Because if one WSA can do it, you could use the built in failover capabilities.

If you use the F5, make it transparent, it handles nothing but which wsa gets a specific flow. You need session persistence enabled.

The WSAs need their own cert... we issue a intermediate CA siging cert off of our internal CA for this, because that's what the WSA is doing... issuing a certs for websites you're decrypting for the internal connection, on the fly.

Hi Ken,

Thanks for the information,  Does the certificate on each device need to point to the CN proxy.xyz.com and SANs containing both PXY01 and PXY02?   

Regards

Rockmaster

Hi Ken,

Thanks for the information,  Does the certificate on each device need to point to the CN proxy.xyz.com and SANs containing both PXY01 and PXY02?   

Regards

Rockmaster

As far as I know, no...
Keep in mind there are may be 3 certs on a WSA...

1. the management interface cert, which is a standard web server cert, which can have SANs as appropriate. (we use one for mgmt. on ESA, WSA, SMA, and beta boxes)
2. The proxy cert used for when you use encrypted credentials, configured under Network/Authentication, when you check the box... IIRC should match the NetBios name.
3. The HTTPS Proxy cert, which is a SIGNING cert, used to issue certs for each web site you do decryption on... the WSA does this on the fly. This cert can easily come from 2 places, the WSA can generate it, then you deploy it to your workstations as a trusted root, or from your own internal CA, where you issue a new "issuing CA certificate" and put it on the WSA (presumably your workstations already trust your root CA). You can't just go buy a web cert for this.

Hope that helps!
Ken


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: