Client SSL profiles using SNI not able to use the subject alternative name
We have a clientssl profile using a *.domain.com wildcard SSL certificate. This profile is set as the default for SNI. We also have specific clientssl profiles using the application specific SSL certificate. The application specific certs have their subject as www.application.com with the subject alternative name with application.com. There may also be several other SAN listed depending on the web app. In testing everything works great when accessing the site via https://www.application.com. However when using https://application.com we receive a cert error and the *.domain.com wildcard SSL certificate is used. This is the same for any domain listed as a SAN. My main question is can SNI use subject alternative names? My testing indicates no, but I wanted to put this out to the group. Here is my sanitized config: ltm profile client-ssl domain.com_wildcard { app-service none cert domain.com_wildcard.crt chain ComodoCA.crt defaults-from clientssl key domain.com_wildcard.key sni-default true } ltm profile client-ssl prod-www_application_com { app-service none cert prod-www_application_com.crt chain prod-www_application_com.intermediate.ca.crt key prod-www_application_com.key } ltm virtual vs-x.x.x.x_443 { destination x.x.x.x:https ip-protocol tcp mask 255.255.255.255 pool site-x.x.x.x_443 profiles { http-x-forward { } domain.com_wildcard { context clientside } prod-www_application_com { context clientside } serverssl-insecure-compatible { context serverside } tcp { } websecurity { } } source 0.0.0.0/0 source-address-translation { pool snat_pool type snat } vs-index 2539 }
APM Client side checks too slow?
Hi, I am implementing client side checking using APM (im running 11.3 HF6) and when testing with IE7 or Chrome 31 it takes at least 90 seconds to run. The checks I am running are "Windows Info" (looking for XP SP3 or Vista currently) and Windows Process Check. I gave up on the Anti Virus check as this took an additional 90 seconds or so to run so have instead used the Process Check to check the anti virus we have rolled out is running (I know thats not an amazing idea and would rather use the Anti Virus check). I do not believe the checks I am doing are slowing things down though as 90% of the time is spent in a "Checking Client" state. After that only a few seconds are spent on "Collecting Windows Information" then my APM logon page is presented. I have installed "F5 networks plugin host" for Chrome and Active X is allowed to run on IE. running wireshark on the test machine reveals that no network traffic is present during this long 90 second pause so I know its not trying to download anything. I am running Windows XP SP3 and McAfee Enterprise on my test laptop but also tried at home last night with IE8 and Chrome 31 on a Vista laptop with Antivir and zonealarm firewall running with the same result (and I had the process check turned off at the time too so it was just checking to see that I was running Vista). I guess I would just like to know if this delay is expected or not. We are migrating away from a Citrix solution for remote access and Citrix EPA runs the same checks in about 3 seconds so we would really like the same performance! I tried downloading and installing the edge client from the connectivity profile page ensuring "Endpoint Security for Windows" was ticked but I do not see this launching during the checks (even after a reboot). Thank you in advance to anyone who can assist with this please. It would be very much appreciated! Apologies if I have missed something obvious I have a very tight schedule to get APM up and running and am very much learning as I go!