1. Kemp Support
2. Knowledge Base
3. Content Delivery

How To Re-Encrypt Multiple SNIs

Updated: July 14, 2023 20:24

When a Virtual Service is configured with SSL Acceleration and Re-encryption, the LoadMaster can only send one Server Name Indication (SNI) host name to the Real Server.

To get around this, use content matching rules in combination with SubVSs and cascading Virtual Services.

First, create the content rules to match on the host that is being requested by the client. Examples of abc.com and xyz.com will be used.

In the LoadMaster Web User Interface (WUI), go to Rules & Checking > Content Rules and click Create New.

Repeat this to create the xyz.com rule.

Create a Virtual Service listening on port 443 with SSL Acceleration and Reencrypt enabled.

Enable content switching at the "parent" Virtual Service.

Add two SubVSs under the parent Virtual Service and assign the the rules abc.com and xyz.com rules.

 

Next, create the cascading Virtual Services which will be used as Real Servers within the SubVSs.

In the WUI, go to Virtual Services > Add New and enter the Virtual Address, for example 10.1.114.27.

 

Repeat the steps for 10.1.114.28 (SNI xyz.com).

Within these cascading Virtual Services, enable SSL Acceleration and Reencrypt and insert the SNI of abc.com:

In the relevant Virtual Service modify screen, expand the SSL Properties and enter abc.com as the Reencryption SNI Hostname.

The Real Server Check Method should be set to None since the "parent" Virtual Service will be doing the health checks. 

 Repeat these steps for the other cascading Virtual Service of 10.1.114.28 (xyz.com).

 

Once completed, your configuration should look similar this:

 

Finally, examining a packet capture of the back-end traffic verifies that the LoadMaster is sending different SNIs to the Real Servers.

---

Comments

---

---

---

---