Tuesday 3 March 2015

Using Kemp Load balancer for SSL offloading for perfect forward secrecy and TLS1.x (A rating on SSL labs)

You may have already seen in my previous post how to perform SSL offloading to a Kemp Load Balancer but another usefull feature is setting up the ciphers available to each Virtual Service to get a good "A" rating on the SSL labs vulnerability scan of your site

To set Ciphers on Windows for IIS requires a bit of powershell scripting and there is a guide available here

However to update the SSL ciphers that we are using on a Virtual Service (VS) in the load balancer is much easier.  Once you have assigned an SSL cert do the following to update the ciphers

  • Click Virtual Services
  • Click View/Modify Services
  • Select the VS to update
  • You will note that SSL acceleration is Enabled and there is a Cihpers list which by default just contains the default ciphers.
  • On the left column are the available ciphers - ticking the various options in the "Selection filters" check boxes on the right filters this list
  • Options required to filter the list
  • Tick "Perfect Forward Secrecy", "No RC4"" and "TLS 1.x Ciphers Only"
  • Highlight all of the available ciphers in the now filtered list
  • Click on the > button to move the selected ciphers over to the "Assigned Ciphers" list and be sure to click the "Set Ciphers" button to confirm the new ciphers

Test the SSL configuration at here: https://www.ssllabs.com/ssltest/ but make sure to tick the box to not sure the results of your test on the results board!  You should get an A rating on your SSL configuration.

How to enable SSL offloading on a Kemp Load Balancer

I love the 2 Kemp Load balancers that we have at work.  As well as the obvious job of directing traffic to multiple application front-ends it can also perform SSL offloading.

This means that we can have a single portal through which to manage our SSL certificates rather than having to update on individual IIS computers.

To start you need an SSL certificate and any intermediate certificate that is required.

Logon to the Kemp load balancer
Select Certificates > SSL Certificates
Click "Import Certificate"
Click "Browse" to select your certificates
Fill in the Pass Phrase and add a Certificate Identifier (this can be anything as its a friendly name that you can use to identify it in the web UI)

You can now add Virtual Services to the assigned list for the certificate - you need to make sure that your VirtualService listens on port 443 and you might want to disable SSL on the real servers and have the load balancer and the real server communicate over port 80 without SSL unless you are concerned about the security of your internal network communications.