For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Erich_Rockman_1's avatar
Erich_Rockman_1
Icon for Cirrus rankCirrus
Apr 28, 2014

single ip / ssl profile / iapp template

I am relatively new to F5 iRules and I hope someone can help me out. I have a single public IP that will host many sites including:

 

  1. Exchange 2013 created with the iapp template (443 client / 80 server)
  2. ADFS 3.0 (requires SNI) (443 client / 443 server)

I have a wildcard CA cert. I have both the sites working separately on 2 different IPs, but I need to find a way to merge them into 1. The iapp template created a vip that does not have pools, only iRules that call pools. They both require different client SSL profiles (1 SNI/1 No SNI) and only 1 requires a server SSL profile.

 

Thanks.

 

application delivery
deployment
devops
iApps
iRules
LTM
sni

5 Replies

  • Mahmoud_Eldeeb_'s avatar
    Mahmoud_Eldeeb_
    Icon for Cirrostratus rankCirrostratus
    Apr 28, 2014

    You may want to explore ProxyPass

     

    https://devcentral.f5.com/wiki/iRules.proxypassv10.ashx

     

  • Mahmoud_Eldeeb_'s avatar
    Mahmoud_Eldeeb_
    Icon for Cirrostratus rankCirrostratus
    Apr 28, 2014

    Also, APM portal will give this capability.

     

    http://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-portal-access-11-5-0/1.html

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Apr 29, 2014

    Perhaps the easiest thing would be a VIP-targeting solution. Layer an external LTM VIP with SSL offload in front of your internal application VIPs. You don't necessarily need to worry about SNI here as long as the external VIP is decrypting the client side SSL (you can optionally re-encrypt to the internal VIPs) and 2) the sites use different resolved host names.

    when HTTP_REQUEST {
    switch [string tolower [HTTP::host]] {
        "owa.domain.com" { virtual oa_vip }
        "adfs.domain.com" { virtual adfs_vip }
        default { reject }
    }
}

    The one significant caveat here might be if you needed client certificates at the application VIPs, which would be highly difficult to achieve with VIP targeting.

  • Erich_Rockman_1's avatar
    Erich_Rockman_1
    Icon for Cirrus rankCirrus
    Apr 29, 2014

    That is what I was trying. I get to the application vip, then it drops. the pool is running on 443 as there is no way to offload it (cant turn it off on the application).

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Apr 29, 2014

    I don't remember if I've tested this specifically, but you should be able to employ ProxySSL with similar logic to route the traffic based on layer 7 Host information (without terminating the SSL).

    when HTTP_REQUEST {
    switch [string tolower [HTTP::host]] {
        "owa.domain.com" { pool oa_pool }
        "adfs.domain.com" { pool adfs_pool }
        default { reject }
    }
}

    You'd need to use the same wildcard cert and private key on both servers, and also plant the private key on the F5 for ProxySSL. Given that you're not terminating SSL, I'm guessing you also need something like source address persistence.

    So when you say you can't offload the SSL, does that also mean you can't terminate and re-encrypt also?