Forum Discussion
Hannes_Rapp_162
Nacreous
If all works with
abc.com
right now, and you already terminate clientssl with *.abc.com
certificate, no changes on BigIP LTM are required to add support for xyx.abc.com
. They just create new DNS A record to point xyx.abc.com to same VIP as abc.com and voila!
Serverssl profile has no domain-aware significance. It is used to enable BigIP act as a SSL/TLS client so the traffic to Pool Member will be encrypted before it's forwarded downstream.
Hannes_Rapp_162
Jan 01, 2018Nacreous
No server name should be specified in serverssl profile unless your external web address URLs do not match with listener configurations in web servers. If the web server is configured to listen on
abc.com:443
, either add xyx.abc.com:443
as second VirtualHost listener, or make it a wildcard listener that matches both. I see no good justification to use TLS SNI or any other F5 workaround for something as basicas this. Refer to Apache docs for help and use serverssl profile with DEFAULT settings, don't customize anything. If you specify abc.com as server name in serverssl profile, you are explicitly forcing all xyx.abc.com requests to abc.com listener and for obvious reasons this can't work.