Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1072
Views
0
Helpful
4
Replies

Dual Active Active WSA Load balanced by F5 LTM.

Go to solution
stephane boudreau
Level 1
Level 1

‎09-10-2022 06:31 AM

Hi Everyone,

We want to setup two WSA Web security Appliances, behind an F5 LTM load balancer.  (See the attachment)  The F5 load balancer will not handle the SSL certificate as it is listening on port 8080.  This traffic will then be sent to the WSA devices.  How should we handle the SSL inspection? what are the certificates to be used?  Should it be setup as one certificate (with the Common Name and two SAN for each device name)  and this certificate added to each WSA?

your thoughts?

Rockmaster

Labels:
Preview file
407 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Ken Stieers
VIP
VIP

‎09-10-2022 07:58 AM

I'm assuming you're using explicit forwarding and need to balance load as well as failover...

Because if one WSA can do it, you could use the built in failover capabilities.

If you use the F5, make it transparent, it handles nothing but which wsa gets a specific flow. You need session persistence enabled.

The WSAs need their own cert... we issue a intermediate CA siging cert off of our internal CA for this, because that's what the WSA is doing... issuing a certs for websites you're decrypting for the internal connection, on the fly.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Ken Stieers
VIP
VIP

‎09-10-2022 07:58 AM

I'm assuming you're using explicit forwarding and need to balance load as well as failover...

Because if one WSA can do it, you could use the built in failover capabilities.

If you use the F5, make it transparent, it handles nothing but which wsa gets a specific flow. You need session persistence enabled.

The WSAs need their own cert... we issue a intermediate CA siging cert off of our internal CA for this, because that's what the WSA is doing... issuing a certs for websites you're decrypting for the internal connection, on the fly.
0 Helpful

Go to solution
stephane boudreau
Level 1
Level 1
In response to Ken Stieers

‎09-12-2022 05:04 AM

Hi Ken,

Thanks for the information,  Does the certificate on each device need to point to the CN proxy.xyz.com and SANs containing both PXY01 and PXY02?   

Regards

Rockmaster

0 Helpful

Go to solution
stephane boudreau
Level 1
Level 1
In response to Ken Stieers

‎09-16-2022 06:49 AM

Hi Ken,

Thanks for the information,  Does the certificate on each device need to point to the CN proxy.xyz.com and SANs containing both PXY01 and PXY02?   

Regards

Rockmaster

0 Helpful

Go to solution
Ken Stieers
VIP
VIP
In response to stephane boudreau

‎09-16-2022 03:35 PM

As far as I know, no...
Keep in mind there are may be 3 certs on a WSA...

1. the management interface cert, which is a standard web server cert, which can have SANs as appropriate. (we use one for mgmt. on ESA, WSA, SMA, and beta boxes)
2. The proxy cert used for when you use encrypted credentials, configured under Network/Authentication, when you check the box... IIRC should match the NetBios name.
3. The HTTPS Proxy cert, which is a SIGNING cert, used to issue certs for each web site you do decryption on... the WSA does this on the fly. This cert can easily come from 2 places, the WSA can generate it, then you deploy it to your workstations as a trusted root, or from your own internal CA, where you issue a new "issuing CA certificate" and put it on the WSA (presumably your workstations already trust your root CA). You can't just go buy a web cert for this.

Hope that helps!
Ken


0 Helpful
Customers Also Viewed These Support Documents