Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

single ip / ssl profile / iapp template

I am relatively new to F5 iRules and I hope someone can help me out. I have a single public IP that will host many sites including:

  1. Exchange 2013 created with the iapp template (443 client / 80 server)
  2. ADFS 3.0 (requires SNI) (443 client / 443 server)

I have a wildcard CA cert. I have both the sites working separately on 2 different IPs, but I need to find a way to merge them into 1. The iapp template created a vip that does not have pools, only iRules that call pools. They both require different client SSL profiles (1 SNI/1 No SNI) and only 1 requires a server SSL profile.

Thanks.

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

You may want to explore ProxyPass

https://devcentral.f5.com/wiki/iRules.proxypassv10.ashx

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Also, APM portal will give this capability.

http://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-portal-access-11-5-0/1.html

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

That is what I was trying. I get to the application vip, then it drops. the pool is running on 443 as there is no way to offload it (cant turn it off on the application).

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

I don't remember if I've tested this specifically, but you should be able to employ ProxySSL with similar logic to route the traffic based on layer 7 Host information (without terminating the SSL).

when HTTP_REQUEST {
    switch [string tolower [HTTP::host]] {
        "owa.domain.com" { pool oa_pool }
        "adfs.domain.com" { pool adfs_pool }
        default { reject }
    }
}

You'd need to use the same wildcard cert and private key on both servers, and also plant the private key on the F5 for ProxySSL. Given that you're not terminating SSL, I'm guessing you also need something like source address persistence.

So when you say you can't offload the SSL, does that also mean you can't terminate and re-encrypt also?

0
Comments on this Answer
Comment made 04-Apr-2016 by HasanAhmed 55
Great its work for me in my environment..
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Perhaps the easiest thing would be a VIP-targeting solution. Layer an external LTM VIP with SSL offload in front of your internal application VIPs. You don't necessarily need to worry about SNI here as long as the external VIP is decrypting the client side SSL (you can optionally re-encrypt to the internal VIPs) and 2) the sites use different resolved host names.

when HTTP_REQUEST {
    switch [string tolower [HTTP::host]] {
        "owa.domain.com" { virtual oa_vip }
        "adfs.domain.com" { virtual adfs_vip }
        default { reject }
    }
}

The one significant caveat here might be if you needed client certificates at the application VIPs, which would be highly difficult to achieve with VIP targeting.

-1