Product Documentation

Configure SSL action to forward client traffic if the appliance does not have a domain specific (SNI) certificate

Note: This feature is available in release 12.1 build 49.x and later.

In the client hello message, if you receive a request for a domain for which the certificate is not available on the appliance, you can configure an SSL action to forward the client traffic to a different virtual server. If you do not want SSL offload on the appliance, forward the traffic to a virtual server of type TCP or SSL_BRIDGE. For SSL offload, forward the traffic to an SSL virtual server. In the following example, we have configured an SSL virtual server as the forward virtual server. This setting ensures that all the connections that fail because of a missing SNI certificate on the original virtual server are successful on the forward virtual server.

Perform the following steps:

  1. Add a load balancing virtual server of type SSL (For example, v1). Client traffic is received on this virtual server.
  2. Add an SSL service with port 443.
  3. Bind this service to the SSL virtual server.
  4. Add another load balancing virtual server of type SSL to forward the traffic to. (For example, fwd-vserver).
  5. Add a service and bind it to this virtual server.
  6. Bind this service to the SSL virtual server.
  7. Add an SSL action specifying the SSL virtual server fwd-vserver in the ‘forward’ parameter.
  8. Add an SSL policy specifying the above action if a specific domain name (SNI) is received in the client hello message.
  9. Bind this policy to the SSL virtual server v1.
  10. Save the configuration.

Configuration using the CLI

Configuration for the SSL virtual server to which to forward the traffic

add lb vserver fwd-vserver SSL 10.102.57.184 443
add ssl certkey sv -cert complete/server/server_rsa_2048.pem -key complete/server/server_rsa_2048.ky
bind ssl vserver fwd-vserver -certkeyName sv
bind ssl vserver fwd-vserver -certkeyName cacert -CA
add service ssl-service2 10.102.113.150 SSL 443
bind lb vserver fwd-vserver ssl-service2

Configuration for the SSL virtual server that originally receives client traffic

add service ssl-service 10.102.113.155 SSL 443
add lb vserver v1 SSL 10.102.57.186 443
bind ssl vserver v1 -certkeyName sv
bind lb vserver v1 ssl-service
set ssl vserver v1 -sni ENABLED
add ssl certKey snicert2 -cert /nsconfig/ssl/complete/SNI/server/serverabc.pem -key /nsconfig/ssl/complete/SNI/server/serverabc.ky
add ssl certKey snicert -cert /nsconfig/ssl/complete/SNI/server/serverabcnetscaler.pem -key /nsconfig/ssl/complete/SNI/server/serverabcnetscaler.ky
bind ssl vserver v1 -certkeyName snicert -sniCert
bind ssl vserver v1 -certkeyName snicert2 -sniCert
add ssl action act1 -forward fwd-vserver
add ssl policy pol1 -rule client.ssl.client_hello.sni.contains("xyz") -action act1
bind ssl vserver v1 -policyName pol1 -type CLIENTHELLO_REQ -priority 1
sh ssl vserver v1

    Advanced SSL configuration for VServer v1:
    DH: DISABLED
    DH Private-Key Exponent Size Limit: DISABLED    Ephemeral RSA: ENABLED  Refresh Count: 0
    Session Reuse: ENABLED  Timeout: 120 seconds
    Cipher Redirect: DISABLED
    SSLfwd-vserver Redirect: DISABLED
    ClearText Port: 0
    Client Auth: DISABLED
    SSL Redirect: DISABLED
    Non FIPS Ciphers: DISABLED
    SNI: ENABLED
    OCSP Stapling: DISABLED
    HSTS: DISABLED
    HSTS IncludeSubDomains: NO
    HSTS Max-Age: 0
    SSLfwd-vserver: DISABLED  SSLv3: ENABLED  TLSv1.0: ENABLED  TLSv1.1: ENABLED  TLSv1.2: ENABLED  TLSv1.3: DISABLED
    Push Encryption Trigger: Always
    Send Close-Notify: YES
    Strict Sig-Digest Check: DISABLED
    Zero RTT Early Data: DISABLED
    DHE Key Exchange With PSK: NO
    Tickets Per Authentication Context: 1

ECC Curve: P_256, P_384, P_224, P_521

1)  CertKey Name: sv    Server Certificate
2)  CertKey Name: snicert2  Server Certificate for SNI
3)  CertKey Name: snicert   Server Certificate for SNI


Data policy
1) Policy Name: pol1    Priority: 1



1) Cipher Name: DEFAULT
Description: Default cipher list with encryption strength >= 128bit
Done
sh ssl policy pol1
    Name: pol1
    Rule: client.ssl.client_hello.sni.contains("xyz")
    Action: act1
    UndefAction: Use Global
    Hits: 0
    Undef Hits: 0


    Policy is bound to following entities
1)  Bound to: CLIENTHELLO_REQ VSERVER v1
    Priority: 1

Done
sh ssl action act1
1)  Name: act1
    Type: Data Insertion
    Forward to: fwd-vserver
    Hits: 0
    Undef Hits: 0
    Action Reference Count: 1
Done
sh ssl vserver fwd-vserver

    Advanced SSL configuration for VServer fwd-vserver:
    DH: DISABLED
    DH Private-Key Exponent Size Limit: DISABLED    Ephemeral RSA: ENABLED  Refresh Count: 0
    Session Reuse: ENABLED  Timeout: 120 seconds
    Cipher Redirect: DISABLED
    SSLfwd-vserver Redirect: DISABLED
    ClearText Port: 0
    Client Auth: DISABLED
    SSL Redirect: DISABLED
    Non FIPS Ciphers: DISABLED
    SNI: DISABLED
    OCSP Stapling: DISABLED
    HSTS: DISABLED
    HSTS IncludeSubDomains: NO
    HSTS Max-Age: 0
    SSLfwd-vserver: DISABLED  SSLv3: ENABLED  TLSv1.0: ENABLED  TLSv1.1: ENABLED  TLSv1.2: ENABLED  TLSv1.3: DISABLED
    Push Encryption Trigger: Always
    Send Close-Notify: YES
    Strict Sig-Digest Check: DISABLED
    Zero RTT Early Data: DISABLED
    DHE Key Exchange With PSK: NO
    Tickets Per Authentication Context: 1

    ECC Curve: P_256, P_384, P_224, P_521

1)  CertKey Name: sv    Server Certificate



1)  Cipher Name: DEFAULT
    Description: Default cipher list with encryption strength >= 128bit
Done

Configure SSL action to forward client traffic if the appliance does not have a domain specific (SNI) certificate

In this article