How Do I Configure SNI on NetScaler?

This article describes how to configure SNI feature on NetScaler.

Use Case

Traditionally every separate application/website would have needed a separate IP address to be hosted. This would have taken up too many IP addresses leading to a huge problem in the long term considering IP addresses are limited. Thus the need was to be able to host multiple applications/services on a single IP address.

Introduction to SNI

SNI (Server Name Indication) is an extension of the TLS protocol which enables you to host multiple applications/services on a single IP address.

Servers supporting SNI have multiple certificates (pertaining to the multiple hostnames supported) bound to one single IP address. The client browser can indicate the requested hostname by including it in the ‘Client Hello’ of the SSL handshake and the server supporting SNI can send the correct certificate to the client depending on the hostname included in the request.

SNI feature support on NetScaler

You can enable the SNI feature on NetScaler appliance to be able to host multiple domains securely on a single SSL virtual server. It enables you to bind multiple certificates (pertaining to multiple domains) to a single virtual server. You can also bind a default certificates to the virtual server.

User-added image

If the client browser indicates the requested hostname by including it in the ‘Client Hello’ of the SSL handshake, the SNI enabled virtual server would send the correct certificate (certificate mapping to the requested hostname) back to the client. In cases where the client does not specify any domain name, the virtual server would send the default certificate.

User-added image

Related:

Leave a Reply