Forum Discussion
Kevin_Stewart
Oct 19, 2012Employee
That's an interesting question. So, in v11 at least, BIG-IP does support server side SNI. If you plug a server name into the server SSL profile's Server Name block, you'll actually see the SNI extension information in the CLIENTHELLO message coming from BIG-IP. That of course implies that you have a different server SSL profile for every back end SNI host and switch profiles in an iRule (see https://devcentral.f5.com/wiki/iRules.SSL__profile.ashx), but that's probably not too tedious.
Interestingly, and I'm frankly not sure why this worked, but I was also able to leave the Server Name field blank and set the HTTP host header in an iRule to get it to switch between SNI servers.
HTTP::header replace Host "sslapp1.alpha.com"
Again, completely counter-intuitive, and didn't see the SNI extension information in the CLIENTHELLO, but was definitely able to switch between the SNI hosts consistently. Anyone know why that works???