I think my problem is a missing check box somewhere, but I can't figure out where it is.
I'm running a BigIP, v11.6, in a test environment before we migrate to it in production.
Our requirements are for a fully SSL encrypted connection end to end, and as such I have the BigIP configured to terminate SSL on device, and then re-establish a SSL tunnel to the pool members. I'm using SNAT auto map, I've configured a cookie persistence profile as well as a HTTP profile to insert X-Forwarded-For.
All the above is working fine, until I add SNI into the mix.
Our production environment uses over 20 web sites sharing a single IP using SNI and a combination of wildcard and non-wildcard certificates, all accessible via SNI and host headers. When I migrate my test server to require SNI, the the connection is established to the BigIP, SNI is resolved and the correct certificate is presented to the client, however the pool servers are not being contacted correctly by the BigIP and they are not responding.
I've searched through the forums and I don't really see anything applicable, but I admit I'm new with BigIP and I feel like I'm incorrectly using a term or missing a checkbox somewhere.
Can someone point me in the right direction, or link me to where I should have found the answer before I posted?
Thanks in advance!
I haven't tried this, but just poking around, are you using the SSL Forward Proxy feature in your SSL Profile? Implementing SSL Forward Proxy on a Single BIG-IP System says it supports SNI.
My guess is that you will have to have a server SSL profile with the Server Name field populated for every client SSL profile you have attached. I'm trying to confirm that now, but that is my suspicion.
Hi. I'm reviving this thread hoping to find a definitive answer to the same problem. Is this configuration supported without an iRule?
Here is the setup:
profile 1 has sni entry app1.domain.com
profile 1 has sni entry app2.domain.com
default sni profile has just defaultsni.domain.com
sni entries are set on both client and server profiles
now when I add the three client profiles (default sni + the other two for app1.domain.com and app2.domain.com) and the three server profiles I cannot connect to the two websites.
If I tests the two profiles separately they work fine.
Insight is welcome !
look at this awesome code
I'm testing this on 18.104.22.168.0.291
Thanks for the link.
Two questions: does this mean that my setup (multiple sni profiles) won't work?
i will post the second question on the other thread :-)
Yes, you don't have to configure multiple serverssl profiles but only one with the irule of the provided link.