Re: Load balancer and Security Certificates

[Tom Golson <tgolson@tamu.edu>]

Heh.  After reading the wildcard cert responses, I'd say that's 
definitely the avenue to pursue.  Our networking group wouldn't let us 
acquire wildcard certs, so we purchased Verisign certs for the service 
name living on the load balancers, and for the services on the mailstore 
servers.

Rather than fight installing commercial certs across all of the Zimbra 
complex we have local certs behind the F5's and commercial certs on the 
F5's.  To make the redirects work, we have VIF's for the generic service 
(with pools for all the related services: https/imaps/pop3s/etc.) and 
then we have VIF's for the individual servers, too.

So, we have neo.tamu.edu -- you connect to it, and it terminates and 
translates a connection that's round-robined to the mail servers.

When you connect, the proxy issues a redirect.

The redirect is for a public name that also has a VIF on the F5's and is 
configured to answer for all the related services for that VIF (http...).

This does not work with services that do STARTTLS, but all of our 
configuration directions are for the explicit SSL service ports and we 
mostly just shrug when people complain about trying things using 
STARTTLS and getting CA errors.

Our service does not do SMTP AUTH for the campus, though -- we have a 
different set of servers for that, which are accessible to the general 
Internet, because our Zimbra install doesn't accept any SMTP connections 
from the world at large.  Only http (redirects to https), pop3s and imaps.

Given the choice, I'd definitely vote for the wildcard solution. :-)

--
Tom Golson
Senior Lead Systems Engineer
Opensystems Group
Computing & Information Services
Texas A&M University

Tim Ross wrote:
> Hi All,
>
> We are working through our move to Zimbra here at Cal Poly and have run into a little snag with Security Certs.  Initially we had wanted to use the http proxy that came out with Zimbra 5.0.5, but even in 5.0.6 and 5.0.7 the web proxy still has a few issues that make it unusable for us.  So, we are using a load balancer in front of two mailstore servers in our Test environment.  We have a VIP (example.calpoly.edu) that the load balancer responds to on port 443.  We have a security cert for example.calpoly.edu on the load balancer that works fine.  The load balancer then chooses one of the two mail servers (by least connections) and forwards the connection request to the mailstores.  We have tried a couple different setups with the load balancer and mail servers and even purchased two Thawte certs for the two machine names on the mailstores.  The two things we are trying to accomplish are keeping a https (443) connection to the mailstore servers and not receiving cert warning

s in the browsers.  We have tried terminating SSL on the load balancer and using zimbraMailMode=redirect on the mail servers, and we've also tried just passing the connection through the load balancer on 443 to the mailstore servers.  Each way we still receive cert warnings if you are directed to the mailstore server that does not contain your mailbox and you are redirected by Zimbra to the other mailstore server.  The cert warning happens because the connection comes in as example.calpoly.edu and the box is expecting the machine name on the cert.  We thought that buying Thawte certs with the box names might resolve this issue, but it did not.
> Have any of you dealt with this issue and found the magic combination or setting?  We are considering perhaps a virtual host on the mailstores that would tell the box that it should respond to example.calpoly.edu requests.  Another possibility was putting example.calpoly.edu in the "Subject Alternative Name" field on the CSR we generate for the Thawte cert.
>
> Thanks for your help.
>
> ---
> Tim Ross
> Application Administrator
> Collaboration Support
> Cal Poly State University
> 756-6226