Does BIG-IP send traffic to pool members by IP and is it possible to recognize hostname?
I have a question regarding BIG-IP's communication with pool member servers. Is it accurate that the BIG-IP has no concept of the 'hostname' of the pool members and forwards traffic to pool members by IP alone? I have set up a serverssl profile that is configured to 'Require' Server Certificate and DROP untrusted and expired SSL certs presented by member servers. It all works except for ONE scenario: When a member server presents an SSL cert with a CN that matches the Authenticate Name on the server SSL profile but is the WRONG SSL cert for it.
e.g: The member hostname is foo.example.com; it is serving an SSL cert for CN bar.example.com. The server-ssl profile is set up with Authenticate Name bar.example.com. I would have expected the BIG-IP to DROP traffic to pool member foo.example.com but it doesn't. The BIG-IP sees 'bar.example.com' for Authenticate Name in the serverssl profile, matches that to the 'bar.example.com' in the CN of the SSL cert presented by server and blesses the communication.
I'm running BIG-IP 11.5.1 HF10; is someone able to confirm that this is indeed how it works and maybe suggest what I could do to make the BIG-IP check pool member hostname.