Forum Discussion
If you cannot see the layer 7 (HTTP) traffic, then you also cannot write to it. So assuming www.domain.com and domain.com resolve to the same IP and F5 VIP, you basically have three options:
-
Apply a wildcard certificate to the client SSL profile - *.domain.com
-
Apply a SAN certificate to the client SSL profile - like a wildcard but specific to a list of server names in the subjectAltName field of the cert.
-
If your clients are all capable of TLS (anyone using an OS/browser later than WinXP/IE6), you can use a TLS extension called SNI, or Server Name Indicator, where the client specifies the server name in its TLS CLIENTHELLO message. You could then create separate client SSL profiles, each with its own certificate, set the server name field in the profile to match the subject name of the certificate, and then apply all to the VIP. The VIP will choose the correct profile based on the client's request.