[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Load balancer and Security Certificates
Thanks for the quick responses Steve, Ryan and Tom. This gives us a few options to look into. The wildcards may be a hard sell for some folks on our campus, but it gives us a path to pursue. We may need to try something like Tom's solution until 5.0.8 comes out when the web proxy may be ready for use.
Tim
-----Original Message-----
From: Tom Golson [mailto:tgolson@tamu.edu]
Sent: Monday, July 14, 2008 11:06 AM
To: zimbra-hied-admins@sfu.ca
Subject: Re: Load balancer and Security Certificates
Heh. After reading the wildcard cert responses, I'd say that's definitely the avenue to pursue. Our networking group wouldn't let us acquire wildcard certs, so we purchased Verisign certs for the service name living on the load balancers, and for the services on the mailstore servers.
Rather than fight installing commercial certs across all of the Zimbra complex we have local certs behind the F5's and commercial certs on the F5's. To make the redirects work, we have VIF's for the generic service (with pools for all the related services: https/imaps/pop3s/etc.) and then we have VIF's for the individual servers, too.
So, we have neo.tamu.edu -- you connect to it, and it terminates and translates a connection that's round-robined to the mail servers.
When you connect, the proxy issues a redirect.
The redirect is for a public name that also has a VIF on the F5's and is configured to answer for all the related services for that VIF (http...).
This does not work with services that do STARTTLS, but all of our configuration directions are for the explicit SSL service ports and we mostly just shrug when people complain about trying things using STARTTLS and getting CA errors.
Our service does not do SMTP AUTH for the campus, though -- we have a different set of servers for that, which are accessible to the general Internet, because our Zimbra install doesn't accept any SMTP connections from the world at large. Only http (redirects to https), pop3s and imaps.
Given the choice, I'd definitely vote for the wildcard solution. :-)
--
Tom Golson
Senior Lead Systems Engineer
Opensystems Group
Computing & Information Services
Texas A&M University
Tim Ross wrote:
> Hi All,
>
> We are working through our move to Zimbra here at Cal Poly and have
> run into a little snag with Security Certs. Initially we had wanted
> to use the http proxy that came out with Zimbra 5.0.5, but even in
> 5.0.6 and 5.0.7 the web proxy still has a few issues that make it
> unusable for us. So, we are using a load balancer in front of two
> mailstore servers in our Test environment. We have a VIP
> (example.calpoly.edu) that the load balancer responds to on port 443.
> We have a security cert for example.calpoly.edu on the load balancer
> that works fine. The load balancer then chooses one of the two mail
> servers (by least connections) and forwards the connection request to
> the mailstores. We have tried a couple different setups with the load
> balancer and mail servers and even purchased two Thawte certs for the
> two machine names on the mailstores. The two things we are trying to
> accomplish are keeping a https (443) connection to the mailstore
> servers and not receiving cert warning
s in the browsers. We have tried terminating SSL on the load balancer and using zimbraMailMode=redirect on the mail servers, and we've also tried just passing the connection through the load balancer on 443 to the mailstore servers. Each way we still receive cert warnings if you are directed to the mailstore server that does not contain your mailbox and you are redirected by Zimbra to the other mailstore server. The cert warning happens because the connection comes in as example.calpoly.edu and the box is expecting the machine name on the cert. We thought that buying Thawte certs with the box names might resolve this issue, but it did not.
>
> Have any of you dealt with this issue and found the magic combination or setting? We are considering perhaps a virtual host on the mailstores that would tell the box that it should respond to example.calpoly.edu requests. Another possibility was putting example.calpoly.edu in the "Subject Alternative Name" field on the CSR we generate for the Thawte cert.
>
> Thanks for your help.
>
> ---
> Tim Ross
> Application Administrator
> Collaboration Support
> Cal Poly State University
> 756-6226
>