Forum Discussion
hooleylist
Aug 29, 2012Cirrostratus
The problem with using a single IP address for multiple fully qualified domain names is that LTM needs to complete an SSL handshake with a single SSL cert before being able to decrypt the SSL and inspect or modify the HTTP to determine which FQDN the client requested. If LTM presents a cert which doesn't have the client's requested FQDN, the client will generate a mismatched cert error.
If the clients are in a controlled set (ie, all owned by one organization) you could potentially use TLS SNI to determine which cert to present:
http://en.wikipedia.org/wiki/Server_Name_Indication
The reason TLS SNI hasn't taken hold fully yet is that many older browsers and operating systems don't support it yet:
http://en.wikipedia.org/wiki/Server_Name_IndicationNo_support
If you can get a single certificate which is valid for all of the FQDNs clients would use to access the virtual server, you can avoid this issue. Typically, this is done with wildcard or Subject Alternate Nate (SAN) certs.
If a SAN or wildcard cert can't be used and the clients are not corporate owned, you'll generally need one virtual server IP address per SSL certificate.
Aaron