Configuring TLS support in a clustered environment

Unanswered Question
Jul 14th, 2008
User Badges:

Hi folks !

I couldn't find a definitive guide to TLS support in a clustered environment... So I'll give it a shout :)

Has anyone managed to configure TLS support in his/her cluster ?

My setup is as follows :
- we have two Ironports, clustered, who are addressed using a common name through a hardware loadbalancer (mxfarm)
- Each ironport is seen as a unique host when sending outbound emails (ironport-1 and ironport-2)
- I have installed a certificate in MACHINE mode on each of them (i.e. one certificate for ironport-1, another for ironport-2)

Now, when I want to enable TLS (in cluster mode), I get the message that a security/key certificate hasn't been installed....

Sooooooooo how should I do it ??

Thanks !!
Frédéric Lens

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
kluu_ironport Mon, 07/14/2008 - 19:02
User Badges:

TLS on outbound is configured in [Mail Policies > Destination Controls]

TLS on inbound is under [Mail policies > HAT Overview > mail flow policies].

In your scenario, were you enabling TLS prefered/required for inbound traffic or outbound traffic? When you clicked on Mail policies -> Destination Controls, were you still in [Cluster mode]?

You should be able to have your certs at Machine mode and enable tls prefered/required at a Cluster level for both inbound and outbound.

Hi folks !

I couldn't find a definitive guide to TLS support in a clustered environment... So I'll give it a shout :)

Has anyone managed to configure TLS support in his/her cluster ?

My setup is as follows :
- we have two Ironports, clustered, who are addressed using a common name through a hardware loadbalancer (mxfarm)
- Each ironport is seen as a unique host when sending outbound emails (ironport-1 and ironport-2)
- I have installed a certificate in MACHINE mode on each of them (i.e. one certificate for ironport-1, another for ironport-2)

Now, when I want to enable TLS (in cluster mode), I get the message that a security/key certificate hasn't been installed....

Sooooooooo how should I do it ??

Thanks !!
Frédéric Lens
frederic.lens Tue, 07/15/2008 - 11:40
User Badges:

Hi Kluu,

Indeed, TLS has been set to prefered for Inbound AND outbound traffic.
The thing that confuses me is that, in cluster mode, when enabling TLS, the system says that I don't have any certificate. Which is kinda weird and normal at the same time, since I enable TLS in cluster mode, and I have certificates installed in Machine mode.

Nevertheless, the system chooses the right certificates for TLS usage. I tested using Openssl and have seen the correct certs so eveything should be good :)

It's just that annoying message that I got, and that I can't get anymore !?
Weird, maybe it's just me :)

Cheers,
Fred

TLS on outbound is configured in [Mail Policies > Destination Controls]

TLS on inbound is under [Mail policies > HAT Overview > mail flow policies].

In your scenario, were you enabling TLS prefered/required for inbound traffic or outbound traffic? When you clicked on Mail policies -> Destination Controls, were you still in [Cluster mode]?

You should be able to have your certs at Machine mode and enable tls prefered/required at a Cluster level for both inbound and outbound.
ava-iron_ironport Tue, 07/15/2008 - 16:16
User Badges:

Hi Networkh,

try to insert one certificate in cluster mode:
- certconfig (ssh coonection).
configurate intbound and outbound policies for using TLS.

I have done it and that's ok

steven_geerts Tue, 07/15/2008 - 22:08
User Badges:

Hello,

We have four machines in a cluster, using TLS as default for inbound and outbound traffic.
Since we do not use load balancers we have individual certs for each machine. Besides that we have (company signed) certificates for each machine. These are used for systems management (HTTPS). (By the way... the certificate management is a terrible job if you have to maintain four machines with two certs each (and thus two certification paths). Hey Ironport: some major enhancements are possible on this field.....)
Since we use individual certs we have to install them in machine mode. The TLS policies are cluster based and this is configured and functioning without any problems.

I have a few attention points:
The certs that are installed before a machines has joined the cluster are removed on the moment you add this machine to the cluster. This in normally not done very frequently so I think this will not be the problem in this case, but it’s good to know that after joining the cluster you have the initial demo certs active again.

Even if you buy certificates from commercial vendors you must be sure you install the complete certification path. We have Verisign certs and had to install the intermediate certificate to get the chain complete.

You mention you have connected your MGA's to an incoming load balancer and send out mail via the individual hosts. I expect you to utilize three IP addresses for that (one incoming that is assigned to the load balancer and two others for the MGA's outgoing traffic). This means you must have three individual forward and reversed DNS entries. Since the CN of the cert must match the (public) DNS name of your system you should have individual certs for inbound and outbound traffic. The inbound cert (and intermediate certs) must be the same on both machines since these are is presented to the outside world as if they where one and should match the forward DNS name of the load balancer IP address. The outbound certs must be unique for each machine, matching the reversed DNS name of that machine.

I have two points that I'm not sure of, maybe someone else can clear this up:
The SMTP greeting normally contains the public systems hostname. I do not know if you can configure individual SMTP greetings for in and outbound mail and, if this is possible, if the inbound greeting can be the same on two clustered machines. Since you have two machines combined behind a loadbalancer I would expect the to present them selves to the public identically, for the outbound traffic is the individual machine IP address used, I would expect the system to identify it selves by the hostname that is in the PTR for the used IP address. Finally: I am not sure if this has any impact on TLS or not.

I always import the all intermediate certs for each cert I import. That means I install the two public intermediate certs twice and install the internal root and intermediate cert also twice. It might be sufficient to install both sets only once but I have never tested this. Who can tell if I am forcing myself into too much work or not?

I hope you solve your problem. My experience is that starting with certificates is most of the time a PITA (Pain In The Ass) but if you have figured out how to do it for a particular system it becomes quite simple.

Best regards
Steven

frederic.lens Wed, 07/16/2008 - 07:26
User Badges:

Hi Steven,

Many thanks for the detailed post.
Indeed we have three IP addresses, actually it's even worse than that since we have two providers and are not running BGP (yet) (double IP addressing in place here... yippie !)

Fortunately we're migrating to a BGP environment :)
When we do, I'll remove the loadbalancing alltogether and stick with DNS Round Robin for our inside hosts, and MX records for the Internet hosts.
That way, I'll be able to install correct certificates on the Ironport.

Good to know that you did the same as we did, though, installing the Certs at machine level and activating TLS at the Cluster level !

Cheers,
Fred

Actions

This Discussion