Forum Discussion

Scott123456789's avatar
Scott123456789
Icon for Cirrus rankCirrus
Apr 30, 2019

SNI Implementation

My F5 is running version 13.1.1.4.0.0.4. My organization has an existing web application that uses SNI. One URL does authentication based on certificates, the other URL does authentication based on A...
application delivery
LTM
security
sni
Scott123456789's avatar
Scott123456789
Icon for Cirrus rankCirrus

Thank you both for the explanations. I should have added in my original post that this was my first time working with anything SNI, so maybe I have a misunderstanding that I haven't realized yet.

 

I now understand that not seeing the server_name extension from the server side of the BIGIP is the expected behavior, but that design decision confuses me. Currently, without the BIGIP involved, the web front end receives client hello packets with this extension and it works properly. So why wouldn't the BIGIP be designed to send them?

 

On the web front end, IIS currently has only two sites. One is configured to require SNI (this is a check box in the binding section), the other site has the box unchecked. The box being checked for the one site gave me the impression that the site won't work without the server_name extension.

 

In the mean time, I will attempt my configuration like the diagram by Rodrigo.

 

Rodrigo_Albuque's avatar
Rodrigo_Albuque
Icon for MVP rankMVP
May 01, 2019

BIG-IP is designed to do this too but SNI was not designed for this. I'd advise you to have a look at SSL Forward Proxy (SNI is forwarded all the way through here) or you can use the injection iRule if that works for you.