Configure 2 URLS on same VIP and 2 SSL certificate

Have a look : https://devcentral.f5.com/questions/multiple-ssl-client-profiles-for-one-virtual-server

 

Make sense ?

 

While I haven't done this myself, I've done a little research on it, and I think what you're looking for is SNI (Server Name Indication). SOL3452 talks about setting up a VIP with SNI, and this article talks about it as well.

 

You'll have to operate under the assumption that all your clients are using a browser (client) support SNI.

 

There is a technical article on DevCentral on SNIs: https://devcentral.f5.com/articles/ssl-profiles-part-7-server-name-indication . I have a customer using SNI with two client profiles and it works fine with modern browsers.

 

Have a look on it. Also the whole article series may be worth reading.

 

Done it, SNI is very easy to implement. For each SSL Client Profile you want to link to your VIP, just select Advanced settings, jump to Server Name. Enter the FQDN of your url in that field (myhost.mydomain.com). This is where the segregation between muliple profiles will occur.

 

One thing : one of your CLient SSL profiles must have the Default SSL Profile for SNI checked.

 

And like previous posts state about, the browser used need to support SNI.

 

Hi All

 

Thanks for the suggestions ; however would like to know how do i ensure that all clients are using a browser (client) support SNI ?

 

Regards

 

Ankur

 

Check Wiki here

 

Gives some clues about browsers compatibility.

 

Hi

 

thanks again for the reference . Consider there are multiple client SSL and Server SSL Profile tied to the same Virtual Server . Hence in that case will the client SSL Profile (eg:ClientProfA) automatically match its corresponding Server SSL profile (eg:ServerProfA) ?

 

Ankur

 

Server SSL Profiles also have a custom field for Serve Name Indication, so yes, it should match.

 

However, I never had to play with multiple Server SSL profiles linked to a single VS as most of the time here, our Big-IPs are simple clients to the back-end servers and therefore the simple and default serverssl profile is enough.

 

Hi ,

 

1) As mentioned in above posts "One of your CLient SSL profiles must have the Default SSL Profile for SNI checked" .If i have 3 Client SSL Profiles on one VIP, does that mean in one of the profile i have to select "Server Name " and "Default SSL Profile for SNI " both ?

 

Also , if the website is www.myportal.com then FQDN of URL to be filled in the "Server Name" should be portal.com ?

 

2) Consider case of multiple Client and Server SSL profiles. For every Client SSL profile with a specific "Server Name " option filled in , do i have to mention the same "Server Name " in the corresponding Server SSL profile as well ?

 

Ankur

 

Hi Experts,

 

Can you please let me know the following

 

1) As mentioned in above posts "One of your CLient SSL profiles must have the Default SSL Profile for SNI checked" .If i have 3 Client SSL Profiles on one VIP, does that mean in one of the profile i have to select "Server Name " and "Default SSL Profile for SNI " both ?

 

Also , if the website is www.myportal.com then FQDN of URL to be filled in the "Server Name" should be myportal.com ?

 

2) Consider case of multiple Client and Server SSL profiles. For every Client SSL profile with a specific "Server Name " option filled in , do i have to mention the same "Server Name " in the corresponding Server SSL profile as well ?

 

Regards,

 

Ankur