SNI Routing with BIG-IP

adding the second virtual for completeness. In this case the SSL certificate is known by the BIG-IP (app1.example.com). The second pool "test_ssl" points directly to the backend web server and the BIG-IP does not have the certificate (app2.example.com).

The virtual listens on port 9443, but you could also use a different private address and/or restrict connections (i.e. set the source to be 192.0.2.10/32).

ltm virtual test_ssl_vs {
    destination 192.0.2.10:9443
    ip-protocol tcp
    mask 255.255.255.255
    pool test_pool
    profiles {
        app1.example.com_clientssl {
            context clientside
        }
        http { }
        tcp { }
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    translate-address enabled
    translate-port enabled
    vs-index 10
}