For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Erich_Rockman_1's avatar
Erich_Rockman_1
Icon for Cirrus rankCirrus
Apr 28, 2014

single ip / ssl profile / iapp template

I am relatively new to F5 iRules and I hope someone can help me out. I have a single public IP that will host many sites including:   Exchange 2013 created with the iapp template (443 client / 80...
application delivery
deployment
devops
iApps
iRules
LTM
sni
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Apr 29, 2014

I don't remember if I've tested this specifically, but you should be able to employ ProxySSL with similar logic to route the traffic based on layer 7 Host information (without terminating the SSL).

when HTTP_REQUEST {
    switch [string tolower [HTTP::host]] {
        "owa.domain.com" { pool oa_pool }
        "adfs.domain.com" { pool adfs_pool }
        default { reject }
    }
}

You'd need to use the same wildcard cert and private key on both servers, and also plant the private key on the F5 for ProxySSL. Given that you're not terminating SSL, I'm guessing you also need something like source address persistence.

So when you say you can't offload the SSL, does that also mean you can't terminate and re-encrypt also?