For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Scott123456789's avatar
Scott123456789
Icon for Cirrus rankCirrus
Apr 30, 2019

SNI Implementation

My F5 is running version 13.1.1.4.0.0.4. My organization has an existing web application that uses SNI. One URL does authentication based on certificates, the other URL does authentication based on A...
application delivery
LTM
security
sni
Scott123456789's avatar
Scott123456789
Icon for Cirrus rankCirrus
May 01, 2019

Thank you both for the explanations. I should have added in my original post that this was my first time working with anything SNI, so maybe I have a misunderstanding that I haven't realized yet.

 

I now understand that not seeing the server_name extension from the server side of the BIGIP is the expected behavior, but that design decision confuses me. Currently, without the BIGIP involved, the web front end receives client hello packets with this extension and it works properly. So why wouldn't the BIGIP be designed to send them?

 

On the web front end, IIS currently has only two sites. One is configured to require SNI (this is a check box in the binding section), the other site has the box unchecked. The box being checked for the one site gave me the impression that the site won't work without the server_name extension.

 

In the mean time, I will attempt my configuration like the diagram by Rodrigo.

 

Scott123456789's avatar
Scott123456789
Icon for Cirrus rankCirrus
May 01, 2019

I've read a bit about the SSL Forward Proxy and I can see how the web server in the pool will get the server_name extension. But I cannot have two certificates and keys in the client ssl profile, so do I just configure two separate client ssl profiles and add them both to the virtual server? I'm not sure what certificates are supposed to be in the SSL Forward Proxy portion of the configuration either.