Technical Forum topics

Multiple two-way SSL client Profiles - possible?

Adrian_Turcu — Fri, 12 Jun 2026 09:45:20 GMT

Hello
To simply describe my situation:

multiple end-users with client SSL certs generated by different CAs (down to rootCAs, which are different)
one VIP to server them all and perform two-way SSL with "peer-cert-mode required" in the client-ssl profile.
the FQDN for the VIP is the same for all end-users, so the server-side certificate is the same for all of them
platform used: redundant BigIP LTM i4800 running v17

My initial reaction was to "bundle" all the different CAs into one file and use it as such under the client-ssl profile (it works)

But... I was thinking if I could create and attach to the VIP multiple client-ssl profiles for each of the CAs (each with its own defined ca-file), using the same server-side certificate (with at least one of these profiles to have the sni-default set to true), and also keeping the "peer-cert mode required" for each of these distinct client-ssl profiles. Would this even be possible, what would this break or what gotchas I should be aware of,?

ltm profile client-ssl mTLS-profile1 { ca-file firstCA.crt cert serverSide.crt chain serverSide-chain.crt key serverSide.key peer-cert-mode require retain-certificate false sni-default true } ltm profile client-ssl mTLS-profile2 { ca-file secondCA.crt cert serverSide.crt chain serverSide-chain.crt key serverSide.key peer-cert-mode require retain-certificate false sni-default false } ltm profile client-ssl mTLS-profile3 { ca-file thirdCA.crt cert serverSide.crt chain serverSide-chain.crt key serverSide.key peer-cert-mode require retain-certificate false sni-default false } ltm virtual server-fqdn-vip { ... profiles { mTLS-profile1 { context clientside } mTLS-profile2 { context clientside } mTLS-profile3 { context clientside } } ... }

Thank you in advance

Adrian

AS3 per-app JSON schema issue

mkyrc — Thu, 11 Jun 2026 22:20:31 GMT

Hello,

I'd like to validate per-app declaration against vendor specific `per-app-schema` json schema file in vscode editor. Therefore I added there '$schema' object with valid schema file url, but it seems, that `$schema` object is not valid for per-app declaration.

Here is my simple example (f5as3-ltm_app-based.cfg.yaml.as3.json file):

{ "$schema": "https://raw.githubusercontent.com/F5Networks/f5-appsvcs-extension/refs/heads/main/schema/3.56.0/per-app-schema.json", "schemaVersion": "3.54.0", "id": "urn:uuid:9ee77479-b1d9-5dfe-b0e6-bd1c65c10b8d", "controls": { "class": "Controls", "logLevel": "debug", "trace": true }, "app_test": { "class": "Application", "mon-tcp_test": { "class": "Monitor", "monitorType": "tcp", "remark": "AS3>app_test" } } }

When I validate this file against per-app-schema.json it fails with this message:

$ jsonschema -i f5as3-ltm_app-based.cfg.yaml.as3.json per-app-schema.json https://raw.githubusercontent.com/F5Networks/f5-appsvcs-extension/refs/heads/main/schema/3.56.0/per-app-schema.json: 'https://raw.githubusercontent.com/F5Networks/f5-appsvcs-extension/refs/heads/main/schema/3.56.0/per-app-schema.json' is not of type 'object' $schema: '$schema' does not match '^[A-Za-z][0-9A-Za-z_.-]*$'

When '$schema' object is removed, validation using e.g. jsonschema is correct, but vscode can't validate edited file. I know, that I can map file to local schema file, but I'd like to use '$schema' object with url to vendor's schema file.

It works for 'tenant-based' declaration (in vscode, also validation using e.g. jsonchema is correct):

{ "$schema": "https://raw.githubusercontent.com/F5Networks/f5-appsvcs-extension/refs/heads/main/schema/3.56.0/as3-schema.json", "class": "AS3", "action": "deploy", "persist": true, "declaration": { "class": "ADC", "schemaVersion": "3.56.0", "id": "urn:uuid:9ee77479-b1d9-5dfe-b0e6-bd1c65c10b8d", "updateMode": "selective", "tenant_test": { "class": "Tenant", "defaultRouteDomain": 0, "app_test": { "class": "Application", "mon-tcp_test": { "class": "Monitor", "monitorType": "tcp" } } } } }

I checked per-app-schema.json file and it seems, '$schema' object is not valid configuration object - why? :)

martin

F5 https monitor receive string

antesmol — Thu, 11 Jun 2026 17:30:17 GMT

Hello,

I am testing an HTTPS monitor on BIG-IP 17.1.2.

The server endpoint returns:

HTTP/1.1 200 OK when the service is healthy

HTTP/1.1 503 Service Unavailable when the service is unhealthy

This behavior has been confirmed from the F5 using:

curl

In the HTTPS monitor, I tried the following Receive Strings:

-HTTP/1.1 200

-200 OK

- HTTP 200

but the monitor stays DOWN.

If I use:

-ok||200

the monitor goes UP, however it also remains UP when the endpoint returns HTTP 503.

My question is:

How can I configure a standard HTTPS monitor so that it is UP only when the endpoint returns HTTP 200 and DOWN when it returns HTTP 503?

Thank you.

F5 LTM Virtual Server IP NAT Configuration

DanielHadush — Thu, 11 Jun 2026 11:59:00 GMT

If from firewall side needs to do NAT Server Mapping between My Virtual Server IP and One public IP and the connection is outbound only , will i give Virtual Server IP or F5 Self-IP to security Team to do the NAT Mapping.

From My Understanding i should give them self-Ip since Since F5 will change the source Ip to Self-Ip when going out.

setup F5vpn using key stored in TPM?

adibablu — Thu, 11 Jun 2026 10:32:32 GMT

Can I setup an F5VPN connection using a key generated and stored inside the TPM of my Linux laptop? Platform is Debian 13? AFAICT f5fpc is based upon openssl (which could imply PKCS#11 support), but the documentation doesn't mention it.

https://techdocs.f5.com/en-us/edge-client-7-2-4-1/big-ip-access-policy-manager-edge-client-and-application-configuration-7-2-4-1/clients-for-linux.html

The openconnect F5 implementation is not an option, unfortunately, due to company policy.

Opera Browser APM policy logout error code 25

Ozzy — Thu, 11 Jun 2026 06:19:28 GMT

Hello,

We publish more than 300 applications on F5. I apply APM (Multidomain) policy in most of them. I changed my browser today. I installed Opera. However, while some sites work smoothly with APM, some sites get mypolicy/logout.errocode 25. I didn't see any problems with session cookies. Has anyone encountered this error?

All other applications work in Chrome and Edge without any problems.

URI-based Blocking vs. IP-based Ban in irules

mervesassmaz — Mon, 08 Jun 2026 12:21:22 GMT

I’m currently working on a security implementation using F5 BIG-IP iRules to mitigate malicious activity targeting a specific URI /contact-us on our web application. I’m debating the best approach regarding scope and impact, and I would love to hear your insights or "lessons learned" from your own deployments. We are protecting a specific endpoint from anomalous requests potential injection/brute force attempts. My primary goal is to ensure the security of this endpoint without causing unnecessary disruption to legitimate users or creating a management overhead. When we detect an anomaly, should we stick to URI-level blocking dropping/rejecting only that specific request or move to IP-based banning adding the source IP to a table for a set duration? What are your recommended strategies for handling false positives when using iRules ?

Big-IQ: VS connection/pool stats visible, but Virtual Server health status not displayed

jparri2323 — Sat, 06 Jun 2026 17:39:52 GMT

I have version 8.4.0 Big-IQ and 17.1.3 Big-IP VE(Azure). Required communication is flowing from what I can tell between Big-IP<->DCD and Big-IP<->CM and necessary ports open. However, when I enable stats collection, it comes back with 'Version: not available" for Stats Collection Agent. In the CM restjavad logs, it mentions that Big-IP doesn't have version(8.1.0.1), so keeps trying to reinstall version 8.1.0.1 continuously. Although Big-IP clearly does have that version downloaded/installed from Big-IQ. I have other devices with same version of iapp.analytics and its fine.

Main issue is that we cant see Virtual Server health(green/red). Although when I go to 'Monitoring' tab, I can see Virtual Server/Pool connection stats once I 'Enable' stats. So stats are being sent from Big-IP VE.

I removed/re-imported services but that didn't help. Im not sure if I need to clear-rest-storage on Big-IP. Although Im hesitant to do that, since license is managed from Big-IQ. Last resort could be remove devices completely and re-add.

This never worked for this particular HA pair. Configuring stats collection is new for this pair.

Thoughts? Anybody have similar issue?

ISP Link Load Blancing Use Case

himanshugandhi — Fri, 05 Jun 2026 08:47:09 GMT

Hello everyone,

I have a requirement to implement source-based outbound routing across two ISP links on a BIG-IP LTM and I am looking for guidance on the correct way to achieve this

Environment:

- BIG-IP LTM (version: fill in your version)

- Two ISP links: ISP-1 (Airtel) and ISP-2 (TCL)

- Behind the BIG-IP there is a firewall

- Behind the firewall there are two internal subnets:

- 10.20.0.0/24 — this subnet should use ISP-1 (Airtel) for internet access

- 10.50.0.0/24 — this subnet should use ISP-2 (TCL) for internet access

The firewall's default gateway points to the BIG-IP internal interface

Requirement:

1. When both ISP links are UP:

- Traffic from 10.20.0.0/24 must go out via ISP-1 (Airtel)

- Traffic from 10.50.0.0/24 must go out via ISP-2 (TCL)

2. When ISP-1 (Airtel) goes DOWN:

- Traffic from 10.20.0.0/24 should automatically failover and go out via ISP-2 (TCL)

3. When ISP-2 (TCL) goes DOWN:

- Traffic from 10.50.0.0/24 should automatically failover and go out via ISP-1 (Airtel)

4. When the failed link recovers, traffic should automatically return to its preferred ISP.

In short — each subnet has a preferred ISP, but if that ISP is down, it should fall back to the other ISP automatically. Both failover directions must work.

What I want to know:

1. What is the correct and recommended way to achieve this on BIG-IP LTM?

2. What objects need to be configured — Virtual Servers, Pools, SNAT, iRules, routes?

3. How does the BIG-IP detect that an ISP link is down and trigger the failover automatically?

4. Are there any gotchas or common mistakes to avoid in this type of setup?

Any help, working configuration examples, or pointers to relevant documentation would be greatly appreciated.

Thank you!

F5 VCMP guest shutdown and decommissioning

Preet_pk — Thu, 04 Jun 2026 12:52:40 GMT

Hi,

I have a change to shut down and decommission some of the F5 vCMP guests under the vCMP host. Please share the complete change plan steps and any considerations to take into account before the activity.

Also as part of taking usc backup, i need to take the key separately right. If possible please share the CLI commands to take the ucs & key backup. Also is root account required to export the ucs & key.

Procedure for migration LTM/GMT cluster form serie I to R

SuppEsp_AX — Thu, 04 Jun 2026 10:04:38 GMT

Hi,

I need to migrate a cluster 2600i to 2600r. These devices are doing LTM and GTM.

has anyone done this migration and have any procedures to follow during the intervention?

F5OS cloud-init on 21.1 does tenants come with DO and AS3 RPM installed?

Nikoolayy1 — Wed, 03 Jun 2026 07:14:13 GMT

Hello Everyone,

This great new feature

https://techdocs.f5.com/en-us/bigip-21-1-0/big-ip-f5os-cloud-init-support-velos-rseries/cloud-init-support-velos-rseries.html is not very well described. I think F5 making a demo session or a Guide with pictures will be helpful.

For example do the F5os Tenants come with RPM AS3 and DO installed by default for this to work ?

Other than that it is mentioned that the DO yaml file needs to be hosted on F5OS ? Where exactly ?

OpenID Connect as Client and Resource server

Blobbs_001 — Tue, 02 Jun 2026 18:29:49 GMT

Hi All

I am hoping some here can help me ... I am setting up a F5 to act as both OpenID Connect as Client and Resource server however I am now stuck in a auth loop. My session is being deleted before its handed over to to the authoisation server ..

"If the session ID is still changing (4a3b8e96 -> 76933e5c) and the logs show Session deleted (oauth_finished), the F5 is essentially "forgetting" the session because it is failing to hand off the MRHSession cookie, or the policy is explicitly configured to terminate upon finishing the OAuth transaction."

I have tried many variations of using iRule to stop the session ID's changing between the auth server and the authorisation server to ni avail .. I am at my wits end :(

Anyone anble to help? I have logs I will need to sanitise them first that I can upload. These just show that the Auth-ID is created and then the session is deleted before its handed over to VPE that should then send it to sharepoint point app ..

help anyone

Ivanti MDM Core & F5 LTM/ASM with mTLS

Anoop_Jayadharan — Tue, 02 Jun 2026 05:16:18 GMT

Folks,

One of our customers uses Ivanti MDM to manage mobile phones, both IOS & Android. Recently, due to a requirement, we have decided to place an F5 BIG-IP in front of the MDM Core server, which is located in the DMZ.

Ivanti has a few sets of URIs. One set does not require enabling mTLS. On the other hand, the second set requires mTLS on the client side of the BIG-IP full proxy.

Has anybody seen or done this before? Has anybody implemented an MDM behind LTM/ASM (not It functions more like a MITM than just a TCP load balancer)

What is the recommended approach?

Any advice or recommendations are greatly appreciated.

Appliance: BIG-IP Tenant on r4600

TMOS: 16.x

My Journey to Passing the F5 402 Cloud Solution Specialist Exam: Tips & Guide

TZJ4 — Mon, 01 Jun 2026 02:49:02 GMT

## My Journey to Passing the F5 402 Cloud Solution Specialist Exam: Tips & Guide

Since study materials and comprehensive guidebooks for the F5 402 Cloud Solution Specialist exam are quite scarce, I wanted to share my personal experience and key takeaways to help those preparing for this certification.

### Prerequisites & Foundational Knowledge

* **Mandatory Prerequisites:** You must have already passed the F5 301A+B (LTM) and 302 (GTM/DNS) exams.

* **Cloud Background:** A solid understanding of Cloud architecture (at least at a foundational level) is highly recommended.

### Key Exam Topics to Focus On

1. **Deployment Topologies (1 vs. 3 vNICs):** Understand these deployment models thoroughly, especially in Auto Scaling scenarios. Know when to use each, and be aware of their limitations (such as bandwidth constraints).

2. **VE Licensing (Good, Better, Best):** This is heavily tested. Save time by focusing specifically on the modules that differentiate each tier.

3. **Accessing BIG-IP VE on Cloud:** Know the exact procedure for the initial setup—specifically the use of Key-Pairs and Port 8443.

4. **Automation & Templates:** CloudFormation Templates (CFT) and Kubernetes ConfigMaps appear frequently.

5. **Cloud Failover Extension (CFE):** Understand its core concepts, limitations, and practical use cases.

6. **Cloud High Availability (HA) Limitations:** Focus on why standard failover behaviors change in the cloud (e.g., cloud providers not accepting Gratuitous ARP [GARP], or handling multiple Traffic-Groups).

7. **HA Architecture:** Grasp the differences between Active-Standby and Active-Active deployments.

8. **Active-Active with ELB:** Understand why F5 recommends placing cloud-native Load Balancers (like AWS ALB/NLB) in front of an Active-Active F5 cluster.

9. **Cloud-Specific Terminology:** Be comfortable with cloud infrastructure jargon, especially AWS terminology (e.g., Amazon S3, ELB, VPC, AMI, etc.).

10. **AWS vs. Azure Ratio:** The exam leans heavily toward Amazon AWS over Microsoft Azure, roughly an 80:20 split.

11. **F5 Automation Toolchain:** Understand F5 extensions and their distinct use cases, such as iControl LX, iApp LX, and AS3.

12. **Declarative APIs:** Expect many questions regarding API calls used to provision and manage F5 objects.

13. **REST API Fundamentals:** Understand HTTP methods (GET, POST, PUT, PATCH, DELETE) deeply. For instance, know what happens to the configuration state if an API call fails mid-execution.

14. **API Syntax:** Some questions go deep into the exact command syntax. It is vital to look at real-world examples and memorize the syntax structure.

15. **BIG-IQ Integration:** Study the Knowledge Base (KB) articles regarding using BIG-IQ with AS3 as a proxy to create objects on BIG-IP. Pay attention to the initial setup requirements.

16. **Availability Zones (AZ) & Regions:** Understand the conceptual design of multi-AZ and multi-region setups, including their architectural pros and cons.

17. **AWS Auto Scaling Groups (ASG):** This is a major topic. Spend adequate time reading up on how ASG integrates with F5.

18. **Licensing Models (BYOL vs. PAYG):** You won't get straightforward definition questions. Instead, you will need to analyze scenarios to determine which model is the most cost-effective or appropriate.

19. **Traffic Direction Concepts:** Clearly differentiate between North-South (Vertical) and East-West (Horizontal) traffic patterns to analyze scenario-based questions.

20. **Microservices & Containers:** If you aren't familiar with containerization, brush up on it. There will be architectural diagrams involving Pods and NodePorts.

21. **F5 Container Ingress Services (CIS):** This is another heavily tested topic.

22. **Advanced Licensing:** Look into VLS (Volume Licensing Subscription) and CLP (Cloud Licensing Program).

23. **AWS Instance Types:** You don’t need to memorize instance specs by heart. The exam provides reference tables so you can map and choose the most optimal instance type for a given F5 license.

24. **License Bandwidth:** Understand the performance and throughput limits associated with different F5 licenses.

25. **Content Delivery Network (CDN):** Expect diagram-based questions requiring scenario analysis.

26. **F5 Distributed Cloud (XC) & Silverline:** During my attempt, F5 XC wasn't featured yet, but there were some questions regarding Silverline. (Note: This may vary as blueprints update).

27. **Hybrid Cloud Concepts:** Understand the architecture when bridging On-Premises data centers with Public Cloud environments.

28. **Cloud Migration:** Questions will test your analytical skills regarding migrating workloads from On-Prem to the Cloud, specifically around what factors are critical when shifting traffic.

29. **AWS 6 Rs of Migration:** Memorize the concepts (Rehost, Replatform, Refactor, etc.) as they are embedded in multiple situational questions.

30. **Cloud Models & Finance:** Understand the foundational differences between IaaS, PaaS, SaaS, as well as CapEx vs. OpEx.

31. **WILS (The Data Center API Compass Rose):** This framework does make an appearance on the exam.

32. **F5 APM Roles:** Expect a fair share of APM questions where you must identify whether the BIG-IP is acting as the Identity Provider (IdP) or the Service Provider (SP).

33. **Deployment Methods:** Know the nuances of deploying BIG-IP VE via the Cloud Marketplace versus using GitHub Deployment Scripts.

34. **Cloud Bursting & Monitoring:** This is a recurring theme, including how Active Monitors are used to detect load changes and trigger auto-deployments of instances.

35. **Log File Paths:** Know where to look for specific troubleshooting logs, such as iControl errors, authentication failures, and BIG-IQ restjavad logs.

36. **Authentication Protocol Concepts:** Protocols like OAuth and LDAP aren't questioned directly on syntax, but you must understand their architectural diagrams and exchange mechanisms (e.g., Tokens, SAML assertions).

37. **What did NOT appear (in my attempt):** There were no questions regarding AI, GWLB, Transit Gateway (TGW), F5 XC, or advanced Firewall Deployment Modes on Cloud.

### How to Approach F5 Module Review (Levels 3xx vs 4xx)

If you already have strong, hands-on experience with F5 modules, you don't necessarily need to re-read all the 3xx-level materials from scratch. The 402 exam looks at them from a higher conceptual level:

* **LTM:** Focuses on TMOS architecture, hardware models (like how vCMP operates), and licensing. It won't grill you on basic configurations like "which Load Balancing method to choose."

* **GTM/DNS:** Purely conceptual. No deep iQuery troubleshooting, just GSLB terminology and straightforward Static Ratio configurations.

* **ASM/AWAF/AFM:** Know which module fits the scenario. For example, choose AFM for L3/L4 DDoS protection, but opt for ASM for L7 DDoS, Behavioral DoS (BaDoS), and WAF capabilities. This ties back into knowing your Better vs. Best license bundles.

* **APM:** Highly important. Review the different authentication types and firmly memorize the architectural flow diagrams for IdP and SP.

### Strategy & Exam Tips

* **Analytical Focus:** Level 4xx exams test your ability to analyze complex scenarios. Pure theory isn't enough; real-world exposure or architectural thinking is key—especially regarding cloud environments for the 402.

* **Time Management is Crucial:** Time is the biggest challenge here. As a non-native English speaker, I was allocated approximately 2 hours and 15 minutes, which felt incredibly tight for the amount of reading required.

* **The "Flag" Button is Your Friend:** If you encounter a massive 2-page question with a huge diagram, flag it and skip it immediately. Secure the quick points by answering the shorter questions first.

* **Read the Question and Choices First:** For long, diagram-heavy questions, read the actual prompt and the multiple-choice answers before diving into the diagram text. Often, the scenario description contains a lot of fluff ("noise"), and you can actually deduce the correct answer just by reading the options.

* **Exam Comparison:** Having gone through the 301B, 401, and 402, I can safely say these exams demand immense mental stamina for analysis. However, 301B felt more exhausting. Once you "catch the rhythm" of the 4xx questions, it becomes manageable.

* **Question Pool Size:** I took both the 401 and 402 twice before passing. I felt that the 402 had a much larger question pool. On my second attempt at the 402, I encountered a significant amount of brand-new questions, whereas the 401 retake had quite a lot of repeats.

Best of luck to everyone preparing for the F5 402! I hope you get questions that align with your preparation. Use this guide as a reference point for your studies, and feel free to share your thoughts!

shame on f5

Zaulis — Fri, 29 May 2026 15:01:42 GMT

Hi folks

I am really diasappointed

F5 made 17.1.3.2 release with several bugs

public patch .0.14.32 for 17.1.3.2 to fix one web interface problem

but critical for me bug https://my.f5.com/manage/s/article/K000161225 need request EHF from support to fix.

Am I last person who have 17.1.3.2 in production ?

Why not to fix errors in one another public EHF ?

iRule bug affect all 17.1.3.2 users

AWAF Detection Inconsistency Between Similar Test Payloads

Kuyidong — Fri, 29 May 2026 06:54:01 GMT

Hi everyone,

I'm testing F5 AWAF against several attack payloads in a lab environment (crAPI).

I noticed some inconsistent detection behavior and would like to know whether this is expected, a signature coverage issue, or a content profile configuration issue.

Environment

F5 AWAF / ASM

Wildcard URL policy

Attack signatures enabled

Form Data, JSON, and XML request body handling configured

Default content profile set to "Apply value and content signatures and detect threat campaigns"

Case 1 - Command Injection

The following payload is detected:

POST /clam.php Content-Type: application/x-www-form-urlencoded cmd=cat /etc/passwd

AWAF triggers:

Unix "cmd" parameter execution attempt

However, the following payload is not detected:

POST /clam.php Content-Type: application/x-www-form-urlencoded cmd=127.0.0.1 && ls /etc

The request body is visible in the event logs, so parsing appears to be working correctly.

Has anyone observed similar behavior with command execution signatures?

Case 2 - Multipart Form Data

AWAF successfully detects directory traversal inside multipart/form-data:

Content-Disposition: form-data; name="/static/img/../../etc/passwd" test

However, some multipart XSS payloads are not detected, for example:

Content-Disposition: form-data; name="random" <x/Onpointerrawupdate=confirm()>xxxxx

while other XSS payloads such as onerror-based payloads are detected and blocked.

Questions

Is this expected signature coverage behavior?

Are command execution signatures expected to detect payloads like:127.0.0.1 && ls /etc

Are there known limitations for newer event handlers such as:onpointerrawupdate=

Would enabling Base64 Decoding in Header-Based Content Profiles have any effect on these cases, or is this unrelated because the payloads are not Base64 encoded?

Are there recommended Signature Sets or Evasion settings that improve detection for these payloads?

Any guidance would be appreciated.

version 21.1 ACME setup for certificate renewal with Digicert

awan_m — Fri, 29 May 2026 03:25:33 GMT

Hello - i have installed Bigip version 21.1 and want to configure ACME to automate Certificate renewal from Digicert and our internal CA.

has any one configured it yet ? and are there any documents that guide on how to configure ... maybe a video

thanks

Prodcut compatabilty with F5 OSS vs F5 NGINX Plus

vivek233 — Thu, 28 May 2026 22:09:54 GMT

I have configured my product using F5 NGINX OSS Ingress Controller, leveraging resources such as GlobalConfiguration, TransportServer, and Ingress. The product is working as expected with F5 OSS and uses both HTTP and TCP communication. However, I have not yet been able to validate it with F5 NGINX Plus.

Do you foresee any reason it would not work with F5 NGINX Plus?

SSL Virtual Server to Azure blob storage account

RichardHillius — Wed, 27 May 2026 19:05:56 GMT

We have a requirement to use F5 as the frontend for Azure storage accounts hosting blob file containers. The SFTP Virtual servers work without issue however the https ones do not. I have tried both standard and performance layer 4 virtual servers but see connection errors when I try to connect though the F5.

When we do this with App Services we have to use custom domains and upload the certificate but storage accounts don't have that option.

Has anyone been able to get this working that can give me some pointers on what I might be doing wrong?

Thanks,