Implement selective SSL offload

Question

Hi guys.&nbsp;
My client`s BIGIP have following configuration.&nbsp;
VIP : 211.233.44.50:80fastL4 persist(match across service) mypool:80
VIP : 211.233.44.50:443fastL4 persist(match across service) mypool:443&nbsp;
In client`s DNS -&gt; about 30 domain mapping on 211.233.44.50 /&nbsp;
In this case.&nbsp;
I`m going to add certificate to ssl-offload about 10 domain.&nbsp;
And other 20 domain -&gt; just L4 SLB In the same way as before.&nbsp;
Is it technically feasible to apply SSL-Offload to a domain with a certificate for one VIP and apply L4 SLB for a domain without a certificate?&nbsp;

simon_blakely · Answer

You can't add Client-SSL profiles to fastL4 virtuals - they will need to be standard virtuals.&nbsp;
You can add multiple Client-SSL certificates to a virtual using SNI to select the appropriate certificate, but you need to have a default Client-SSL certificate for SNI to present when none of the specific SNI names match. You will also need a serverside SSL profile.&nbsp;
You could use an iRule that snoops the TCP connection looking for an SNI header, and disables the client-side and server-side ssl profiles for passthrough if they don't match the correct domains, but that is complex, and I think it would be better to go the whole way and just offload everything.&nbsp;

Forum Discussion

Implement selective SSL offload

Recent Discussions

APM for banner and cert

How to Renew F5 Device Certificate

UCS backup not loading Big IP DNS pool

XC Bot defense question

Big-IP not recognized by Big-IQ

Related Content

CORS implementation

Implementing basic OAuth with F5 BIG-IP APM

API Security: How to implement API Access Control with F5

BIG-IP and OPSWAT Together Implement DLP for AI Traffic

Implementing SSL Orchestrator with OPSWAT MetaDefender

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS