I am trying to share a 443 NAT on a firewall sending traffic to the LTM. Once it gets to the F5 I want formview.xxx.org to go to pool-Forms and WEBview.xxx.org to go to pool-WEB. Is that possible wit...
yes, it is possible. You could use LTM Traffic Policies to match the HTTP Host value and forward traffic to the pool accordingly. Get started with this article: devcentral - LTM Policy
I have looked at the first reference link earlier as well. Here is more detail regarding what I am trying to accomplish.
I have a outside firewall NAT for incoming 443 traffic on 96.103.236.222 that forwards that traffic to a LTM VIP 192.168.5.5 listening on 443.
I am trying to have sites
Viewforms.mycompany.org
And
Employee.mycompany.org
(I am also thinking it might be better to do
Mycompany.web.org/viewforms
And
Mycompany.web.org/employees
But the first one is preferred)
The VIP is basic.
HTTP profile is HTTP – I have to select a http or a http-connect profile (this is where I am not sure why I require an http profile, it makes me think that the server connection is http)
Automap
Resources
I don’t have a default pool selected (I did to verify I get the login page prior to adding a policy)
Policy is DMZ-Cop
DMZ-Cop is
Match
HTTP Host -> host -> is -> any of -> Viewforms.mycompany.org or viewforms -> at request time
Do the following
Forward traffic -> to pool -> viewforms-pool
When I https to the page Viewforms.mycompany.org I do not see any policy statistics, invoked or succeeded.
I haven’t tried adding any info for the second site.
Once I change the VIP config http profile (client) to http – I no longer connect to the login page. I do see TCP handshake, Client Hello, and an ACK to that. 1.5 seconds later a FIN from my side.
Thanks
John Krumenacher
Daniel,
Are you sending screen shots as well? This is what I am seeing.
[cid:image004.jpg@01D7733B.FF300200]
I have added a copy of the clientssl which I added the option Default SSL Profile for SNI.
It was the default_ssl_sni line item that made me think there was more to the picture that I should be referencing as well.
Thanks
John Krumenacher
O.K. Thank you,
I do see the additional links in the article should add additional detail and follow your outline.
FYI – if you were sending screen shots, they were not showing up in email or viewed as a web page. Just small icons.
Thanks again,
John Krumenacher
Good afternoon Daniel,
A couple of things. I learned here that I should follow the thread online. I do see the images there. I noticed that today, but in the mean time I did go through the article step by step and it to was helpful.
I am waiting for the server team to generate a new cert to be used by both servers, with the same common name and each FQDN in the SAN section.
Thanks
John Krumenacher
I have followed your guide, and the tech doc. to create the VIP/Policy and SSl profiles. I added logging as well to the policy. I am getting log entries for this policy. I have compared pcaps from going through the VIP and going directly to the server. I have captured on both the client side and server side of each. (on the VIP captures) I see the Client hello - client side, client key exchange - server side and a cipher secs finish - client side.
On the client side capture there is a server hello - change cipher specs and
a change cipher specs finished
that is not present in the client to server capture (no LTM)
an HTTP get / http/1.1 with the full URI https://view.mycomp.org
the vip ACKs the change cipher specs
ACKs the Get
and sends a RST
On the server side capture I get a encryption alert 21 from the VIP.