Forum Discussion

SteveD1979's avatar
SteveD1979
Icon for Cirrostratus rankCirrostratus
Aug 01, 2024

Help with SNI for multiple VIPs hosted on same server

Hi I wanted to see if someone could help me with this setup.  I've configured other VIPs in the past to use SNI by running this command and then creating the ssl profile with the hostname.   tmsh m...
application delivery
Paulius's avatar
Paulius
Icon for MVP rankMVP

Are you having an issue with the health monitor or the virtual server SSL profile configuration? If it's the monitor, you will need to create a unique health monitor per FQDN you need to check and then use the relevant SSL profile in the health monitor for that specific FQDN. For the virtual server you enable SNI and make sure to mark down the default SSL cert for SNI, which is configured in the SSL profile. After you have done the previous piece you should be able to associate the additional SSL profiles for SNI to work on the virtual server, assuming the client is capable of SNI and is using it.

SteveD1979's avatar
SteveD1979
Icon for Cirrostratus rankCirrostratus
Aug 02, 2024

The monitor is failing but I'm not really worried about that.  I don'5t know what it is but the applications are failing.  All except for the last one I i configure.

app 1 VS IP 10.1.1.1

app 2 VS IP 10.1.1.2

app 3 VS IP 10.1.1.3

so on for the next 5

 

They all share 1 pool which is a Windows server with IIS installed and web applications working and the same client SSL cert with each FQDN for each VS IP in the SAN.  The server side SSL cert is unique with each apps FQDN in the server name field and this command run for each VIP.

 

tmsh modify ltm virtual <virtual server> serverssl-use-sni enabled

 

  • Paulius's avatar
    Paulius
    Icon for MVP rankMVP
    Aug 04, 2024

    If you can provide a topology, your existing configuration, and then the failing configuration I might be able to assist you further but I'm have a difficult time understanding the issue here and where the failure is occurring without this information.

    • SteveD1979's avatar
      SteveD1979
      Icon for Cirrostratus rankCirrostratus
      Aug 05, 2024

      I'm not sure what else you're asking for.  There are 8 apps all hosted on one Windows IIS server.  Each of those 8 apps has it's own unique VIP on the F5 with it's own unique IP address.  The VIPs all share the same client side SSL profile.  The server side SSL profile i'm updating to include the FQDN for each separate application in the server name field and giving each VIP it's own.

      • Paulius's avatar
        Paulius
        Icon for MVP rankMVP
        Aug 06, 2024

        Without being able to see the configuration that isn't working it's difficult to say why this isn't working for you. If you configured a default SNI SSL profile for each of those virtual servers then this should be working. The only thing I could see possibly being an issue is if you're doing backend SSL and the server is expecting an SNI from the F5.