F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

K-Dubb's avatar
K-Dubb
Icon for Nimbostratus rankNimbostratus
Mar 12, 2019

SNI

Has anyone tried to use multiple SSL profiles on a VIP with SNI and each profile have different allowed ciphers/protocols? This article indicates that each profile can have different security requir...
application delivery
LTM
security
KeesvandenBos's avatar
KeesvandenBos
Icon for MVP rankMVP
Mar 12, 2019

Set up VIP targetted VIP and use a traffic policy.

 

First VIP listens on 443 and had has no ssl profiles, snat or http profile. It only has a local traffic policy.

 

This policy will forward traffic to a targetted vip (1 vip per client ssl profile) based on the SNI name in the TLS client hello.

 

 

Per targetted VS you have a client ssl profile with the correct certificate and ciphers, http profile.

 

Some useful resources:

 

https://devcentral.f5.com/articles/lightboard-lessons-vip-targeting-vip

 

https://devcentral.f5.com/articles/sni-routing-with-big-ip-31348