Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

How To Re-Encrypt Multiple SNIs

When a Virtual Service is configured with SSL Acceleration and Re-encryption, the LoadMaster can only send one Server Name Indication (SNI) host name to the Real Server.

To get around this, use content matching rules in combination with SubVSs and cascading Virtual Services.

First, create the content rules to match on the host that is being requested by the client. Examples of abc.com and xyz.com will be used.

In the LoadMaster Web User Interface (WUI), go to Rules & Checking > Content Rules and click Create New.

match_abc.PNG

Repeat this to create the xyz.com rule.

Create a Virtual Service listening on port 443 with SSL Acceleration and Reencrypt enabled.

Enable content switching at the "parent" Virtual Service.

Add two SubVSs under the parent Virtual Service and assign the the rules abc.com and xyz.com rules.

parent_VS.png

 

Next, create the cascading Virtual Services which will be used as Real Servers within the SubVSs.

In the WUI, go to Virtual Services > Add New and enter the Virtual Address, for example 10.1.114.27.

cascading_VS_create.png 

Repeat the steps for 10.1.114.28 (SNI xyz.com).

Within these cascading Virtual Services, enable SSL Acceleration and Reencrypt and insert the SNI of abc.com:

In the relevant Virtual Service modify screen, expand the SSL Properties and enter abc.com as the Reencryption SNI Hostname.

The Real Server Check Method should be set to None since the "parent" Virtual Service will be doing the health checks. 

cascading_VS_abc_com.png

 Repeat these steps for the other cascading Virtual Service of 10.1.114.28 (xyz.com).

 

Once completed, your configuration should look similar this:

VSs_overview.png 

Finally, examining a packet capture of the back-end traffic verifies that the LoadMaster is sending different SNIs to the Real Servers.

SNI_tcpdump.png


Was this article helpful?
0 out of 0 found this helpful

Comments

Avatar

kmaley

doesn't seem to work in 7.2.38

0

Avatar

Permanently deleted user

Hi kmaley. I just checked, and this is working in 7.2.38.

It may be best to open up a support case so we can look into your config.
https://support.kemptechnologies.com/hc/en-us/requests/new

0

Avatar

Boris Wagener

Hello,

where do I assign the certificates for abc.com and xyz.com. Both in the parent or in directly into each child ?

Regards

0

Avatar

Frankie Cotto

Hi it-support,

That is correct. All certificates should be applied to the parent virtual service. As for the child virtual service only the corresponding certificate is required.

0