Contact Support
  • Open or view cases
  • Chat live
  • Site feedback
Sign in
Contact Support
  • Open or view cases
  • Chat live
  • Site feedback

Customers who viewed this article also viewed
banner icon

Identify Changes in NetScaler build files with

File Integrity Monitoring

Learn More Watch Video
CTX205283 {{tooltipText}}

How Do I Configure SNI on NetScaler?

Article | {{likeCount}} found this helpful | Created: {{articleFormattedCreatedDate}} | Modified: {{articleFormattedModifiedDate}}
download Why can't I download this file? Log in to Verify Download Permissions

Applicable Products

  • Citrix ADC

Objective

This article describes how to configure SNI feature on NetScaler.

Use Case

Traditionally every separate application/website would have needed a separate IP address to be hosted. This would have taken up too many IP addresses leading to a huge problem in the long term considering IP addresses are limited. Thus the need was to be able to host multiple applications/services on a single IP address. 

Introduction to SNI

SNI (Server Name Indication) is an extension of the TLS protocol which enables you to host multiple applications/services on a single IP address. 

Servers supporting SNI have multiple certificates (pertaining to the multiple hostnames supported) bound to one single IP address. The client browser can indicate the requested hostname by including it in the ‘Client Hello’ of the SSL handshake and the server supporting SNI can send the correct certificate to the client depending on the hostname included in the request.

SNI feature support on NetScaler

You can enable the SNI feature on NetScaler appliance to be able to host multiple domains securely on a single SSL virtual server. It enables you to bind multiple certificates (pertaining to multiple domains) to a single virtual server. You can also bind a default certificates to the virtual server.
User-added image
 

If the client browser indicates the requested hostname by including it in the ‘Client Hello’ of the SSL handshake, the SNI enabled virtual server would send the correct certificate (certificate mapping to the requested hostname) back to the client. In cases where the client does not specify any domain name, the virtual server would send the default certificate.

User-added image

 

Instructions

Complete the following steps to configure SNI feature on NetScaler:

  1. Add SSL virtual server.

    User-added image

    From NetScaler GUI, navigate to Traffic Management > Load Balancing > Virtual Servers > Add.

    User-added image

    For additional details on basic SSL offloading, visit Citrix Documentation - Configuring an SSL-Based Virtual Server.

  2. Enable SNI feature on the SSL virtual server.

    User-added image

    Navigate to Traffic Management > Load Balancing > Virtual Servers > Select the virtual server and click Edit >SSL Parameters and check SNI Enable.

    User-added image

    User-added image

  3. Bind SNI certificate to SSL virtual server. You can bind multiple SNI certificates to the SSL virtual server.
    bind sslvserver <ssl vservername> -certkeyname <certkeyname> -SNICert

    User-added image

    Navigate to Traffic Management > Load Balancing > Virtual Servers > Select the virtual server and click Edit > Certificates > Server Certificates > Add Binding > Select the certificate and check the Server certificate for SNI.

    User-added image

    Note: Optionally, you can also bind a default certificate as well.

    In cases where the client does not specify any domain name, the NetScaler would send the default certificate.

    User-added image

    Navigate to Traffic Management > Load Balancing > Virtual Servers > Select the virtual server and click on Edit > Certificates > Server Certificates > Add Binding > Select the certificate and do not check the Server certificate for SNI box.

    User-added image

Additional Resources

Page feedback
Name is required
Cancel Submit

Featured Products

Failed to load featured products content, Please try again .

{{ getHeading('digitalWorkspaces') }}

{{ getHeading('networking') }}

View support numbers
Share this page