How To Re-Encrypt Multiple SNIs

When a Virtual Service is configured with SSL Acceleration and Re-encryption, the LoadMaster can only send one Server Name Indication (SNI) host name to the Real Server.

To get around this, use content matching rules in combination with SubVSs and cascading Virtual Services.

First, create the content rules to match on the host that is being requested by the client. Examples of abc.com and xyz.com will be used.

In the LoadMaster Web User Interface (WUI), go to Rules & Checking > Content Rules and click Create New.

match_abc.PNG

Repeat this to create the xyz.com rule.

Create a Virtual Service listening on port 443 with SSL Acceleration and Reencrypt enabled.

Enable content switching at the "parent" Virtual Service.

Add two SubVSs under the parent Virtual Service and assign the the rules abc.com and xyz.com rules.

parent_VS.png

 

Next, create the cascading Virtual Services which will be used as Real Servers within the SubVSs.

In the WUI, go to Virtual Services > Add New and enter the Virtual Address, for example 10.1.114.27.

cascading_VS_create.png 

Repeat the steps for 10.1.114.28 (SNI xyz.com).

Within these cascading Virtual Services, enable SSL Acceleration and Reencrypt and insert the SNI of abc.com:

In the relevant Virtual Service modify screen, expand the SSL Properties and enter abc.com as the Reencryption SNI Hostname.

The Real Server Check Method should be set to None since the "parent" Virtual Service will be doing the health checks. 

cascading_VS_abc_com.png

 Repeat these steps for the other cascading Virtual Service of 10.1.114.28 (xyz.com).

 

Once completed, your configuration should look similar this:

VSs_overview.png 

Finally, examining a packet capture of the back-end traffic verifies that the LoadMaster is sending different SNIs to the Real Servers.

SNI_tcpdump.png

Was this article helpful?

0 out of 0 found this helpful

Comments

Avatar
kmaley

doesn't seem to work in 7.2.38

Avatar
Andres Garcia de Alba

Hi kmaley. I just checked, and this is working in 7.2.38.

It may be best to open up a support case so we can look into your config.
https://support.kemptechnologies.com/hc/en-us/requests/new