To provide encrypted communication between users and a virtual server, the BIG-IP system acts as a transparent SSL/TLS proxy. The administrative configuration required for this is a Client SSL profile.
When multiple hostnames (FQDNs) are associated with a single IP address, the system must determine which SSL certificate to present to the client during the initial TLS handshake. This is achieved using an extension of the TLS protocol called Server Name Indication (SNI).
The configuration logic is as follows:
Profile Type: The Client SSL profile is responsible for terminating the SSL connection from the client (the user) to the BIG-IP system.
The Setting: Within the Client SSL profile (under the "Advanced" view), there is a field specifically called Server Name. By entering the specific hostname (e.g., www.example.com) in this field, the BIG-IP system can match the hostname requested by the client in the ClientHello message to the correct profile.
Implementation: The administrator typically creates multiple Client SSL profiles—one for each hostname—and assigns them all to the same virtual server. One of these profiles must be designated as the Default SSL Profile for SNI to handle requests where the client does not provide a hostname or provides one that does not match any specific profile.
By using the Client SSL profile and the Server Name setting, the BIG-IP system ensures that each user receives the correct certificate for the specific site they are trying to reach, even though all sites share a single virtual server IP.
