[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Load balancer and Security Certificates

To: "zimbra-hied-admins@sfu.ca" <zimbra-hied-admins@sfu.ca>
Subject: Load balancer and Security Certificates
From: "Tim Ross" <tross@calpoly.edu>
Date: Mon, 14 Jul 2008 10:18:48 -0700
Thread-index: Acjl1a12ULv0EFr1QKWpKJ83EDLn0A==

Title: Load balancer and Security Certificates

Hi All,

We are working through our move to Zimbra here at Cal Poly and have run into a little snag with Security Certs. Initially we had wanted to use the http proxy that came out with Zimbra 5.0.5, but even in 5.0.6 and 5.0.7 the web proxy still has a few issues that make it unusable for us. So, we are using a load balancer in front of two mailstore servers in our Test environment. We have a VIP (example.calpoly.edu) that the load balancer responds to on port 443. We have a security cert for example.calpoly.edu on the load balancer that works fine. The load balancer then chooses one of the two mail servers (by least connections) and forwards the connection request to the mailstores. We have tried a couple different setups with the load balancer and mail servers and even purchased two Thawte certs for the two machine names on the mailstores. The two things we are trying to accomplish are keeping a https (443) connection to the mailstore servers and not receiving cert warnings in the browsers. We have tried terminating SSL on the load balancer and using zimbraMailMode=redirect on the mail servers, and we've also tried just passing the connection through the load balancer on 443 to the mailstore servers. Each way we still receive cert warnings if you are directed to the mailstore server that does not contain your mailbox and you are redirected by Zimbra to the other mailstore server. The cert warning happens because the connection comes in as example.calpoly.edu and the box is expecting the machine name on the cert. We thought that buying Thawte certs with the box names might resolve this issue, but it did not.

Have any of you dealt with this issue and found the magic combination or setting? We are considering perhaps a virtual host on the mailstores that would tell the box that it should respond to example.calpoly.edu requests. Another possibility was putting example.calpoly.edu in the "Subject Alternative Name" field on the CSR we generate for the Thawte cert.

Thanks for your help.

---
Tim Ross
Application Administrator
Collaboration Support
Cal Poly State University
756-6226

Follow-Ups:
- Re: Load balancer and Security Certificates
  - From: Lalit Jairath <ljairath@uoguelph.ca>
- Re: Load balancer and Security Certificates
  - From: Tom Golson <tgolson@tamu.edu>
- Re: Load balancer and Security Certificates
  - From: Ryan Fox <rfox@findlay.edu>

Prev by Date: Re: Zimbra 5.0.7 and GAL Tokenize
Next by Date: Re: Load balancer and Security Certificates
Previous by thread: Zimbra 5.0.7 and GAL Tokenize
Next by thread: Re: Load balancer and Security Certificates
Index(es):
- Date
- Thread