Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
Home
Discussion GroupsWindows Server 2003Windows 2000Windows NTSmall Business ServerVirtual ServerExchange ServerIISHost Integration ServerISA ServerSMSWSUSMOMWindows Media ServerSecurityCertification
Related Topics
SQL ServerMS WindowsMS OfficePC HardwareMore Topics ...
Windows Server Forum / IIS / IIS Security / July 2008

Tip: Looking for answers? Try searching our database.

Client Certs behind a Load Balancer

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Ryan Hanisco - 18 Jul 2008 20:55 GMT
Everyone,

I have a client that has a wildcard cert on a load balancer in front of a
server farm.  One of the webs that is hosted on this farm uses Client Certs
for authentication.  Unfortunately, the issue arises that the load balancer
(F5) decrypts SSL handing only port 80 to the back-end web servers.  Under
this configuration, the client certs are never checked as the inbound traffic
is HTTP only.  Now we can use the internal CAs to issue the server certs and
pass the HTTPS all the way to the IIS instance...  but then this has the
problem of causing the unauthorized cert warning to be displayed.

Further, this is posing a particular issue when obtaining the user cert as
Vista clients will not accept a cert unless the decrypt is happening in IIS
and has no way of detecting that the connection is secure, but through the
load balancer.

I am looking for some kind of direction here of how to do this correctly
while still using the wildcard that is supporting the farm.

Thanks!
Signature

Ryan Hanisco
MCSE, MCTS: SQL 2005, Server 2008, Project+
http://www.techsterity.com
Chicago, IL

Remember: Marking helpful answers helps everyone find the info they need
quickly.

Reply to this Message
David Wang - 19 Jul 2008 02:45 GMT
On Jul 18, 12:55 pm, Ryan Hanisco
<RyanHani...@discussions.microsoft.com> wrote:
> Everyone,
>
[quoted text clipped - 23 lines]
> Remember: Marking helpful answers helps everyone find the info they need
> quickly.

You will not be able to use Client Certificates with a Load balancer
that serves as the SSL termination point.

You will have to choose whether Load balancing or Client Certificates
based security is more important because by their very natures, they
are incompatible. Client Certificate cannot be re-transmitted once it
has been terminated, which is necessary for their security (if Client
Certificate could be retransmitted, then how can the recipient be sure
that the sender is the actual sender and not an imposter who
retransmits a forgery? This uncertainly undermines the point of Client
Certificate proving identification). Load balancing is going to
terminate the request so that it can balancing amongst its internal
pool of servers. The two won't mix.

It seems like you are saying that Client Certificates are more
important since you are willing to allow traffic to bypass Load
balancer, in which case the individual server must have a certificate
whose name matches what the external user typed (either exact or via
wildcard certificate). i.e. treat it like any other SSL server you
directly expose.

//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
Reply to this Message
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.