Objective
This article describes how to configure SNI feature on NetScaler.
Use Case
Traditionally every separate application/website would have needed a separate IP address to be hosted. This would have taken up too many IP addresses leading to a huge problem in the long term considering IP addresses are limited. Thus the need was to be able to host multiple applications/services on a single IP address.
Introduction to SNI
SNI (Server Name Indication) is an extension of the TLS protocol which enables you to host multiple applications/services on a single IP address.
Servers supporting SNI have multiple certificates (pertaining to the multiple hostnames supported) bound to one single IP address. The client browser can indicate the requested hostname by including it in the ‘Client Hello’ of the SSL handshake and the server supporting SNI can send the correct certificate to the client depending on the hostname included in the request.
SNI feature support on NetScaler
You can enable the SNI feature on NetScaler appliance to be able to host multiple domains securely on a single SSL virtual server. It enables you to bind multiple certificates (pertaining to multiple domains) to a single virtual server. You can also bind a default certificates to the virtual server.
If the client browser indicates the requested hostname by including it in the ‘Client Hello’ of the SSL handshake, the SNI enabled virtual server would send the correct certificate (certificate mapping to the requested hostname) back to the client. In cases where the client does not specify any domain name, the virtual server would send the default certificate.
Instructions
Complete the following steps to configure SNI feature on NetScaler:
- Add SSL virtual server.
From NetScaler GUI, navigate to Traffic Management > Load Balancing > Virtual Servers > Add.
For additional details on basic SSL offloading, visit Citrix Documentation - Configuring an SSL-Based Virtual Server.
-
Enable SNI feature on the SSL virtual server.
Navigate to Traffic Management > Load Balancing > Virtual Servers > Select the virtual server and click Edit >SSL Parameters and check SNI Enable.
-
Bind SNI certificate to SSL virtual server. You can bind multiple SNI certificates to the SSL virtual server.
bind sslvserver <ssl vservername> -certkeyname <certkeyname> -SNICertNavigate to Traffic Management > Load Balancing > Virtual Servers > Select the virtual server and click Edit > Certificates > Server Certificates > Add Binding > Select the certificate and check the Server certificate for SNI.
Note: Optionally, you can also bind a default certificate as well.
In cases where the client does not specify any domain name, the NetScaler would send the default certificate.
Navigate to Traffic Management > Load Balancing > Virtual Servers > Select the virtual server and click on Edit > Certificates > Server Certificates > Add Binding > Select the certificate and do not check the Server certificate for SNI box.
Additional Resources
- CTX125798 - The SNI Feature of NetScaler Appliance