Forum Discussion
Scott123456789
Cirrus
CirrusSNI Implementation
My F5 is running version 13.1.1.4.0.0.4. My organization has an existing web application that uses SNI. One URL does authentication based on certificates, the other URL does authentication based on A...
Scott123456789Cirrus
CirrusThank you both for the explanations. I should have added in my original post that this was my first time working with anything SNI, so maybe I have a misunderstanding that I haven't realized yet.
I now understand that not seeing the server_name extension from the server side of the BIGIP is the expected behavior, but that design decision confuses me. Currently, without the BIGIP involved, the web front end receives client hello packets with this extension and it works properly. So why wouldn't the BIGIP be designed to send them?
On the web front end, IIS currently has only two sites. One is configured to require SNI (this is a check box in the binding section), the other site has the box unchecked. The box being checked for the one site gave me the impression that the site won't work without the server_name extension.
In the mean time, I will attempt my configuration like the diagram by Rodrigo.
BIG-IP is designed to do this too but SNI was not designed for this. I'd advise you to have a look at SSL Forward Proxy (SNI is forwarded all the way through here) or you can use the injection iRule if that works for you.
- Scott123456789
Thank you, Rodrigo. I will look into SSL Forward Proxy.
- Scott123456789
I've read a bit about the SSL Forward Proxy and I can see how the web server in the pool will get the server_name extension. But I cannot have two certificates and keys in the client ssl profile, so do I just configure two separate client ssl profiles and add them both to the virtual server? I'm not sure what certificates are supposed to be in the SSL Forward Proxy portion of the configuration either.
It should be a custom CA certificate that is trusted by the clients' browsers going through BIG-IP. If your clients are going to access the Internet, then SSL Forward Proxy might be good solution. Other than that, if you want your web-servers to be exposed, for example, and they use a server certificate, you can look into Proxy SSL. I believe Proxy SSL also allows server_name extension to go through.
- Scott123456789
The BIGIP is not involved in clients accessing the internet. The BIGIP is acting as a load balancer for these sites. When I configure the proxy SSL, it does not seem to be compatible with any SNI settings. If I set two Client SSL profiles to use the different certificates, it won't allow the configuration and gives the error message "Virtual server /Common/ has more than one clientssl/serverssl profile but none of them is default for SNI." If I add in the client SSL profile with the default SNI set, I get the error message "Configuration error: SSL Proxy state on clientssl profile(s) and/or serverssl profile(s) doesn't match on Virtual Server (/Common/)"
