15
DEPLOYMENT GUIDE
Microsoft Remote Desktop Services
` Create a new Client SSL profile
Select this option for the iApp to create a new Client SSL profile
i). Which SSL certificate do you want to use?
Select the SSL certificate you imported for this implementation.
ii). Which SSL private key do you want to use?
Select the associated SSL private key.
iii). Which intermediate certificate do you want to use?
Advanced
If your deployment requires an intermediate or chain certificate, select the appropriate certificate from the list.
Immediate certificates are intended to create a chain of trust between the CA that signed the certificate and the
CA that is already trusted by the recipient of the certificate. This allows the recipient to verify the validity of the
certificates presented, even when the signing CA is unknown.
f Terminate SSL from clients, re-encrypt to servers (SSL Bridging)
Choose this method if you want the BIG-IP system to terminate SSL to process it, and then re-encrypt the traffic to the servers
(SSL Bridging). You need a valid SSL certificate and key for the client-side, and optionally for the server-side (see #b).
a. Which Client SSL profile do you want to use?
Advanced
Select whether you want the iApp to create a new Client SSL profile, or if you have already created a Client SSL profile
which contains the appropriate SSL certificate and key.
Unless you have requirements for configuring specific Client SSL settings, we recommend allowing the iApp to create a
new profile. To select a profile from the list, it must already be present on the BIG-IP system. Creating a custom profile is
not a part of this template; see Local Traffic >> Profiles : SSL : Client to create a Client SSL profile. To select any new
profiles you create, you need to restart or reconfigure this template.
` Select an existing Client SSL profile
If you created a Client SSL profile for this implementation select it from the list. If you select an existing Client SSL
profile, the rest of the questions in this section disappear. Continue with the next section.
` Create a new Client SSL profile
Select this option for the iApp to create a new Client SSL profile
i). Which SSL certificate do you want to use?
Select the SSL certificate you imported for this implementation.
ii). Which SSL private key do you want to use?
Select the associated SSL private key.
iii). Which intermediate certificate do you want to use?
Advanced
If your deployment requires an intermediate or chain certificate, select the appropriate certificate from the list.
Immediate certificates are intended to create a chain of trust between the CA that signed the certificate and the
CA that is already trusted by the recipient of the certificate. This allows the recipient to verify the validity of the
certificates presented, even when the signing CA is unknown.
b. Which Server SSL profile do you want to use?
Select whether you want the iApp to create the F5 recommended Server SSL profile, or if you want to choose a Server SSL
profile you already created. In this scenario, the BIG-IP system is acting as an SSL client and by default, we assume the
servers do not expect the BIG-IP system to present its client certificate on behalf of clients traversing the virtual server. If
your servers expect the BIG-IP system to present a client certificate, you must create a custom Server SSL profile with the
appropriate certificate and key.
The default, F5 recommended Server SSL profile uses the serverssl parent profile. For information about the ciphers used in
the Server SSL profile, see http://support.f5.com/kb/en-us/solutions/public/8000/800/sol8802.html.
f Encrypted traffic is forwarded without decryption (SSL pass-through)
Choose this method if you do not want the BIG-IP system to do anything with encrypted traffic and simply send it to the Remote
Desktop Gateway servers. This is similar to SSL bridging, although in this case the system does not decrypt then re-encrypt the
traffic, it only sends it on to the servers without modification.