Product Documentation

Support for SNI on the Back-End Service

Sep 01, 2016

The NetScaler appliance now supports Server Name Indication (SNI) at the back end. That is, the common name is sent as the server name in the client hello to the back-end server for successful completion of the handshake. In addition to helping meet federal system integrator customer security requirements, this enhancement provides the advantage of using only one port instead of opening hundreds of different IP addresses and ports on a firewall.

Federal system integrator customer security requirements include support for Active Directory Federation Services (ADFS) 3.0 in 2012R2 and WAP servers. This requires supporting SNI at the back end on a NetScaler appliance.

메모

For SNI to work, the server name in the client hello must match the host name configured on the back-end service that is bound to an SSL virtual server. For example, if the host name of the virtual server is https://www.mail.example.com, the SNI-enabled back-end service must be configured with the server name as https://www.mail.example.com, and this host name must match the server name in the client hello.

To configure SNI on the back-end service by using the NetScaler command line

At the command prompt, type:

add service <name>  <IP>  <serviceType>  <port>

add lb vserver <name>  <IPAddress> <serviceType>  <port>

bind lb vserver <name> <serviceName>

set ssl service <serviceName> -SNIEnable ENABLED -commonName <string>

Example 복사

add service service_ssl 10.217.193.2 SSL 443

add lb vserver ssl-vs 10.1.1.1 SSL 443

bind lb vserver ssl-vs service_ssl

set ssl service service_ssl -SNIEnable ENABLED –commonName www.example.com

To configure SNI on the back-end service by using the NetScaler GUI

  1. Navigate to Traffic Management > Load Balancing > Services.
  2. Select an SSL service, and in Advanced Settings, select SSL Parameters.
  3. Select SNI Enable.

Binding a Secure Monitor to an SNI-Enabled Back-End Service

You can also bind secure monitors of type HTTP-ECV or TCP-ECV to the back-end services that support SNI. To do this, the custom header in the monitor must be set to the server name that is sent as the SNI extension in the client hello.

To configure and bind a secure monitor to an SNI-enabled back-end service by using the NetScaler command line

At the command prompt, type:

add lb monitor <monitorName> <type>

set lb monitor <monitorName> <type> -customHeaders <string>

bind service <name> -monitorName <string>

Example 복사

> add monitor https-ecv-mon http-ecv

 Done

> set monitor https-ecv-mon HTTP-ECV -customHeaders "Host: example.com\r\n"

 Done

> bind service ssl_service –monitorName https-ecv

To configure and bind a secure monitor to an SNI-enabled back-end service by using the NetScaler GUI

  1. Navigate to Traffic Management > Load Balancing > Monitor.
  2. Add a monitor of type HTTP-ECV or TCP-ECV, and specify a Custom Header.
  3. Click Create.
  4. Navigate to Traffic Management > Load Balancing > Services.
  5. Select an SSL service and click Edit.
  6. In Monitors, click Add Binding, select the monitor created in step 3, and click Bind.