SNI: What is it and what can it do for you? 

Citrix NetScaler gives you the ability to leverage multiple SSL certificates on one Virtual Server by using a great feature that has been available since version 9.2. This feature is known as SNI. 

So, what is SNI?

SNI is also known as Server Name Indication, and is an extension to the TLS networking protocol. It works by way of the Client (in most cases browsers), indicating the hostname it is attempting to connect to at the beginning of the SSL handshaking process.

When the Client begins the SSL handshake process with its Hello and requested Server Name extension, the NetScaler will match the server name through the SNI certificates bound to the requested Virtual Server. If no match is found, the NetScaler then returns an unrecognized name message and will reset the connection.

If the Client begins the SSL handshake process with its Hello and NO requested Server Name extension, the default certificate bound to the Virtual Server is returned.

What can it do for you?

The value-add to this great feature allows Cloud Networking Administrators to leverage only one IP Address and use multiple SSL certificates for their load-balanced backend servers. 

Here is how to apply SNI SSL certificates to your virtual server:

Scenario:

Content Switching Virtual Server (more on Content Switching: http://bit.ly/1T73M3i)

  • Content switching is leveraged to identify content on the HTTP header (host), and direct it to the correct backend server.
3 Back-end Web Servers – Blue Apache Web Server, Green Apache Web Server, Red Apache Web Server.
Each of the backend web servers is NON-Addressable. They are only accessible when referenced within the NetScaler.
In this case, each of the NON-Addressable virtual servers are attached to a content switching action.


Step by Step Guidance: 

NOTE: Guide assumes that the following has been completed.

  • All SSL certificates have been validated, and installed on the NetScaler.
  • All backend virtual servers have been configured on the NetScaler (Non-Addressable).

Step 1: Add the Content Switching Virtual Server.

Step 2: Add the relevant policies to the content switching virtual server.

Step 3: Click the edit (pencil) button of the SSL Parameters advanced setting. Next, click the check box next to the SNI Enable feature and click OK.

Step 4: Add the Certificates Advanced Setting, and click the No Server Certificate box to add the certificates used for each back end server.

Step 5: Click the > symbol, and check the Server Certificate for SNI check box to add each of the SSL certificates. Repeat these steps as needed for all other SSL certificates.

How to test:

NOTE: A DNS records have been created for each of the backend web servers with the same IP address as they are uniquely identified via the layer7 HTTP header.

IE: blue.training.lab = 10.10.10.10 red.training.lab = 10.10.10.10 green.training.lab = 10.10.10.10

Using content switching and the SNI Server Name Extension, the Citrix NetScaler is able to deter where to forward the client request to.

Example of the client connecting to the Blue web server to the same IP address using a unique SSL certificate and SNI Server Name extension: 

Example of the client connecting to the Green web server to the same IP address using a unique SSL certificate and SNI Server Name extension:

Example of the client connecting to the Red web server to the same IP address using a unique SSL certificate and SNI Server Name extension: