Using Kemp Load balancer for SSL offloading for perfect forward secrecy and TLS1.x (A rating on SSL labs)

You may have already seen in my previous post how to perform SSL offloading to a Kemp Load Balancer but another usefull feature is setting up the ciphers available to each Virtual Service to get a good "A" rating on the SSL labs vulnerability scan of your site

To set Ciphers on Windows for IIS requires a bit of powershell scripting and there is a guide available here

However to update the SSL ciphers that we are using on a Virtual Service (VS) in the load balancer is much easier.  Once you have assigned an SSL cert do the following to update the ciphers

• Click Virtual Services
• Click View/Modify Services
• Select the VS to update
• You will note that SSL acceleration is Enabled and there is a Cihpers list which by default just contains the default ciphers.
• On the left column are the available ciphers - ticking the various options in the "Selection filters" check boxes on the right filters this list



Options required to filter the list

• Tick "Perfect Forward Secrecy", "No RC4"" and "TLS 1.x Ciphers Only"
• Highlight all of the available ciphers in the now filtered list
• Click on the > button to move the selected ciphers over to the "Assigned Ciphers" list and be sure to click the "Set Ciphers" button to confirm the new ciphers

Test the SSL configuration at here: https://www.ssllabs.com/ssltest/ but make sure to tick the box to not sure the results of your test on the results board!  You should get an A rating on your SSL configuration.