ABI is now on SSL: URL changes

I have finally gotten around to placing SSL certificates on the ABI servers. This was particularly tricky due to the load balancing that these servers are doing on their HTTP connections via BIGIP.

Here the non-technical changes that happened(!), and are in the process of happening(?):
The URL for ABI is now available in SSL:

https://abi.chino.k12.ca.us  (!) Please note that going to https://abi will actually throw a “Certificate Invalid” error. The URL has to be complete. Unfortunately, this is not optional, as this URL will also be used to access ABI from the internet.

For now, http://abi, and http://abi.chino.k12.ca.us are still valid. However, an http META REFRESH redirection is happening, that redirects all users to the SSL site. There are still loopholes in this, and therefore would like to completely do away with this method, and turn off access via non-SSL. (!)

The ABI Link on the website can now be changed to point to the new URL: http://abi.chino.k12.ca.us (?)

I’m still working with Jeremy from County to get a DNS entry for abi.chino.k12.ca.us. Once this is in place, the ABI link on the district website can be only one. No more need to select “School Access” or “Home Access” (?)

Slightly more technical changes:

In order to get the HTTPS protocol to work on the ABI servers, and since they are load balanced with BIGIP. A new virtual server had to be created, as well as a new ABI_HTTPS_POOL. (!)

The additional virtual server entry points to 10.40.55.86:443, and the pool includes 192.168.1.70, 192.168.1.71, and 192.168.1.72 (port 443) in a Round Robin Balancing setup. (!)

An additional port on the Fortigate was opened to 163.150.226.86 –> 443. This IP will be the one corresponding to the ABI server. (!)

Once everything is completely SSL, and the users are used to that URL, I will be closing port 80 on the firewall, leaving only the SSL port open (?)

Also, when the link on the website is changed, I will remove the mapping to the Citrix interface which contained the old link to ABI, and close up the corresponding ports on the firewall.

• These changes were made on 09/15/2009 between 9:00am and 2:00pm.

If any of you have ABI accounts, I would appreciate if you can go ahead and give it a test run. I need a bunch of users logging in to make sure that the load balancing is working like it’s supposed to. From initial testing, it looked fine, but more testing never hurts.