Does that mean that the connection is only verified from the CSS to the SSL server and not from the client to the SSL server or do you need the client certificate on the end user client and the CSS? Or does it mean that anyone connecting to the CSS using SSL will be allowed to connect to the SSL web site as long as the CSS can authenticate with the SSL server?

I am just trying to understand how the end user can be authenticated using certificates if the CSS is acting as the client.

Many thanks

Since you are using end to end ssl. There are two ssl sessions.

First Session will be the client hitting the VIPs (listening on 443).Here you will be offloading SSL requests (using SSL Server Certificates & Keys).

Once the request is decrypted CSS will make the loadbalancing decision and will select a Real server from the avialble serevrs in the server farm.

If you want CSS to do the client authentication then you need to enable client authentication on CSS. Please look for "client authentication" section in the link I provided.

One the server is selected the Second session will be from CSS to the selected Real Server (Listening on secure port again). If this servers requires a client certificate to establish connection then you need to send the client certs in the requests to this real server.

HTH

Syed Iftekhar Ahmed

That info is great thanks! I may only use client authentication up to the CSS and then just plain SSL on the backend. Do you know if it is possible to use self signed certs for the client authentication on the CSS or do they need to be valid certs checked against a CRL?