Forum Discussion
Source Nat Based on ISP
Ok, i will check above iRule and test same. Thanks for your response.
I'll update status here.
An iRule isn't necessary. You're looking for a feature built-in to the TLS protocol called SNI. You can read more about how to use it on BIG-IP here: https://support.f5.com/csp/article/K13452
I have the same setup in my environment, using multiple certificates. As Brian mentioned above the feature your looking for is called SNI. Assign the SSL Profiles you're wanting to use to the VS. The F5 will then select the profile to be used accordingly.
The only gotcha is one of the SSL profiles has to be the SNI Default. This is basically for older browsers that don't support SNI, they will always default to this certificate no matter the host name (honestly we've used this for a while and have never received a complaint).
The "SNI Default" checkbox is found in the SSL Profile configuration. (Local Traffic > Profiles > SSL)
EDIT: I think it's noteworthy to mention I also have an iRule to connect to different pools on the same VS that's using SNI to handle multiple certificates.
when HTTP_REQUEST { switch [string tolower [HTTP::host]] { "sni1.test.com" { pool sni1test } "sni2.test.com" { pool sni2test } } }
- brepav123_22459Feb 09, 2018
Cirrus
Thats exactly what I was looking for. Much appreciated!