SSL and Sharepoint. Is it really this complicated?

Today’s Issue:

Configuring an F5 BIGIP LTM 6400 v9.3.1 to sit in front of an SSL-protected Sharepoint 2007 web farm

Where we are:

At the beginning, really.  Looking over vendor docs to try to decipher what needs to be done just to direct the web traffic to the right box, and what bells & whistles we’re going to hit.  For this one, looks like an iRule to redirect traffic from HTTP to HTTPS when necessary, and how to deal with the SSL certificate itself whether to leave it installed on each WFE, or offload to the device itself (I think we’re fine with leaving it on the servers, but why not take advantage of the device’s capability if it’s there).

How we got here:

So all I’m trying to do is to put a SharePoint site behind a load balancer.  Seems kind of like overkill at this point, as the site sits on one single WFE, with a SQL server behind it.  So we’re actually adding a layer by putting one IP address out there, that sits on the load balancer, that then points back to another IP address that’s on the server… both are routable, both are “public,” but this is theoretically just the start, and at some point we will scale out the web farm to include several other WFEs as members of the pool.

Doodie in the pool…

Seems like a light configuration… go into the F5, and work from the bottom up… create the node (the WFE/server that IIS and the content lives on) create the virtual server (what the public thinks they are hitting), associate them to each other, and you’re done.  Not so fast… You’re gonna need a monitor to tell you if the WFE the virtual server is pointing to is available, you’re gonna need a Profile for… something, and some client & server side gobbledy-gook to go with all of that.

Okay, so maybe I learned from the last time that I tried to wing my way through one of these, when all else fails, read the manual (insert some Windows/Microsoft wise-crack here about needing a wizard to do just about anything… suuuure would be nice right about now).

There’s an app for that…

Okay, maybe not an app, but a manual’s going to have to do for now, nice of F5 to put together a manual specifically for SharePoint 2007 servers sitting behind their device.   Once again, seems like a logical progression, but they run you through a bunch of config items that you essentially leave with the default settings.  Now I’m all for resource names reflecting what it is they’re doing (having a service account for SharePoint Search Service named something like svc-SharepointSearch) that isn’t used for anything else, but if the same service does the same thing for everyone, why make you configure it over and over each iteration?

Why can’t it just work…

So we finally jiggled the handle enough to get everything to work, essentially by bypassing all of the config-specific objects we created as per the manual, and pointed the profiles & monitors to the generic ones that come pre-installed, but were left with one pesky problem, the SSL Certificate wasn’t matching up, so users were getting presented with a lovely warning banner about name mismatches and such.

Ask a silly question…

So I ask this guy on the phone… how do I leave the SSL cert on the WFE, so it can server the certificate itself?  Well, you just leave it there, and you don’t have to configure anything, he responds.  Well we give it a go on our end, and the cert mismatch is coming from the locally self-assigned cert that the F5 maintains on its own (mylocal.local instead of Mysite.therealname.com).  Nice try.  How about asking that question another way, can I really do that under sharepoint (no reason not to, that I can think of… website’s a website at this point), and I’m met quickly with a long list of steps on how to create certs & keys to import and export to users & devices, that I’ve done in the past and know quite well that is exactly what I don’t want to do.  Okay, I say, but it works on another system I already have running on the same load balancer… why can’t I replicate that?  Long awkward silence… well you’d just import the certificate (no mention of how the version I’m running doesn’t support password-protected Certificates).

So now I’m back to what to do next?  Options seem to be upgrade to version that supports importing password-protected Certs, or run through all of the OpenSSL steps, and keep ye olde fingers crossed.

Two roads diverged in a wood…

Let’s upgrade.  We’re way behind anyway, maybe there’s other new stuff that would be better, oh and we’re WAY BEHIND.


0 Responses to “SSL and Sharepoint. Is it really this complicated?”

  1. Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: