SNI Implementation
My F5 is running version 13.1.1.4.0.0.4. My organization has an existing web application that uses SNI. One URL does authentication based on certificates, the other URL does authentication based on Active Directory. We want to move this behind the F5 to utilize ASM.
When researching how to set up SNI within the F5, I read numerous sites (farther below with a comment or two). I've tried numerous combinations of SSL profiles on the client and server side. On the Client side, I tried having a default clientssl with blank server name section (as described in the K13452 link below) and two more clientssl profiles that have the server name section populated with the respective URLs. I also tried removing the default clientssl with black server name and just setting one of the other clientssl's as the default. On the server side, I tried mirroring the client ssl profiles. I tried my standard serverssl profile in hopes it would just pass the SNI field. No luck.
The site never comes up. When I do packet captures on my computer and the F5 (I capture the incoming traffic to the VIP and outgoing traffic to the server in the pool), in the TLS Client hello, I see the SNI field when it leaves my computer and arrives at the VIP of the F5. But the packet capture to the server in the pool does NOT have that field in the Client Hello. I don't know what I'm doing wrong.
SSL Profiles Part 7: Server Name Indication
How can I configure Server SSL Profiles to connect to different URLs on the same server?
Using the iRule in the accepted answer section from the above article did not get the SNI field to show in the client hello packet to the server in the pool. I make the "hostname" in the iRule "$hostname" and the sites in quotes are the two URLs. The SSL profile is the name of the serverssl profile.
Serverside SNI injection iRule
In the comments of this article, someone links a bug for 13.0. But that doesn't seem to describe what I'm experiencing (I'm experiencing no server side SNI at all).