Forum Discussion
Kai_Wilke
Feb 18, 2016MVP
Hi Ebathaei,
when dealing with SNI to host multiple sites on a single IP address, then you have basically the following 3 different options at your fingertips...
- Terminate the TLS-Connetions (aka. SSL inspect) on your F5 and let the F5 automatically select the right SSL certificate.
- Layer4 forward the TLS-Connection (aka. don't SSL inspection) directly to your backend and let the backend handle the SNI based SSL certificate selection.
- Layer4 inspect the initial START_TLS message on your F5 and then dynamically forward the connection to different internal non-SNI aware IP:Port combinations.
So either use 2.) if your HSM supports SNI, or use 3.) if your HSM don't support SNI.
Cheers, Kai