Forum Discussion
hooleylist
Mar 10, 2009Cirrostratus
From the LTM perspective, if you want to be able to specify that requests with a host header for site1.com go to one pool of web servers and requests for site2.com go to a second pool of web servers, you need to either:
1. Be able to decrypt the SSL to view which host the request is for. This would require using a single SSL certificate in a client SSL profile. LTM would then present the cert to clients and decrypt the SSL to check the HTTP host header. You cannot dynamically select the "correct" cert of two choices, because you have to decrypt the SSL to know which cert is valid for the client's requested host. So if you could get a single cert valid for site1.com and site2.com, this option would work. You can potentially get a single cert for two separate domains using Subject Alternate Names (SANs). Most modern browsers and many certificate authorities support SANs.
2. Or you need to be able to use DNS to point the domains to separate IP addresses. You can then use a single certificate per IP address. With this option you could either decrypt the SSL on LTM or pass it through encrypted. The former option would give you more flexibility in inspecting/modifying the HTTP.
Aaron