F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Martin_Smith_58's avatar
Martin_Smith_58
Icon for Nimbostratus rankNimbostratus
Oct 19, 2012

Regular SSL/TLS for user connections to the LTM, with SNI support from LTM to the real webservers?

Hi there --   We have a client base that we truly can't force to support TLS SNI for HTTP traffic. However, we'd like to limit the number of IPs we put on our backend webservers. I'm wondering if ...
config
design
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Oct 19, 2012
That's an interesting question. So, in v11 at least, BIG-IP does support server side SNI. If you plug a server name into the server SSL profile's Server Name block, you'll actually see the SNI extension information in the CLIENTHELLO message coming from BIG-IP. That of course implies that you have a different server SSL profile for every back end SNI host and switch profiles in an iRule (see https://devcentral.f5.com/wiki/iRules.SSL__profile.ashx), but that's probably not too tedious.

Interestingly, and I'm frankly not sure why this worked, but I was also able to leave the Server Name field blank and set the HTTP host header in an iRule to get it to switch between SNI servers. 


HTTP::header replace Host "sslapp1.alpha.com"

Again, completely counter-intuitive, and didn't see the SNI extension information in the CLIENTHELLO, but was definitely able to switch between the SNI hosts consistently. Anyone know why that works???