I am trying to share a 443 NAT on a firewall sending traffic to the LTM. Once it gets to the F5 I want formview.xxx.org to go to pool-Forms and WEBview.xxx.org to go to pool-WEB. Is that possible with HTTPS traffic? Do the nodes need to use http?
Its been 10 years since I have worked on LTMs - I have a fair amount of refreshing and catching up. Thanks in advance.
yes, it is possible. You could use LTM Traffic Policies to match the HTTP Host value and forward traffic to the pool accordingly. Get started with this article: devcentral - LTM Policy
A policy rule could look like this
And for the SSL profile take a look at this solution: K13452: Configure a virtual server to serve multiple HTTPS sites using the TLS Server Name Indicatio...
With SNI you can configure which SSL certificate will be used to authenticate the VS to the client and to secure the connection.
This is gonna be a detailed one...
First of all the virtual server - you mentioned that publishing the virtual server with port 443.
So your virtual server should have a HTTP profile and several clientside SSL profiles.
No serverside SSL and also using SNAT Automap (in prod I'd use SNAT Pool).
In this example I have one for each FQDN.
This is how my VS looks like.One of the clientside SSL profile has the checkbox "Default SSL Profile for SNI"checked.
All others have only a Server Name set.
However all SSL profiles have the same Key / Cert, but all FQDNs are in the SAN.
And finally this is my LTM Traffic Policy for content switching based on FQDN.
You could add a logging action too, to each rule to check whether the condition is matched.
Good Afternoon Daniel,
I have followed your guide, and the tech doc. to create the VIP/Policy and SSl profiles. I added logging as well to the policy. I am getting log entries for this policy. I have compared pcaps from going through the VIP and going directly to the server. I have captured on both the client side and server side of each. (on the VIP captures) I see the Client hello - client side, client key exchange - server side and a cipher secs finish - client side.
On the client side capture there is a server hello - change cipher specs and
a change cipher specs finished
that is not present in the client to server capture (no LTM)
an HTTP get / http/1.1 with the full URI https://view.mycomp.org
the vip ACKs the change cipher specs
ACKs the Get
and sends a RST
On the server side capture I get a encryption alert 21 from the VIP.
I think I am making progress.
Any ideas for me on this?
I am not quite sure if I understand you. You took a capture accessing the webserver directly and another one accessing via the BIG-IP.
What is missing in the capture you took on the BIG-IP? The handshake between your client and the BIG-IP, or between the BIG-IP and server?
Can you share some snippets from your config and/or the captures?
I created a server side ssl profile and added it to the VIP. I will include 4 shots of both client and server profiles for you to check out. I use the same cert and key for both sides, and passphrase. on the server profile2 I tested it with just Default SSL for SNI checked, Just Server Name added and then as you see it with both. My client side pcap looks the same as yesterday. Thanks again for all your time with this. I am much closer.
HEY HEY, I figured it out. I missed something so blatant I am too embarrassed to post it... Just kidding. When I added logging to do the following when traffic is matched. I never added back in the forward traffic to the pool. No kidding.
Thanks again for all your help.