Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

How To Re-Encrypt Multiple SNIs

When a Virtual Service is configured with SSL Acceleration and Re-encryption, the LoadMaster can only send one Server Name Indication (SNI) host name to the Real Server.

To get around this, use content matching rules in combination with SubVSs and cascading Virtual Services.

First, create the content rules to match on the host that is being requested by the client. Examples of and will be used.

In the LoadMaster Web User Interface (WUI), go to Rules & Checking > Content Rules and click Create New.


Repeat this to create the rule.

Create a Virtual Service listening on port 443 with SSL Acceleration and Reencrypt enabled.

Enable content switching at the "parent" Virtual Service.

Add two SubVSs under the parent Virtual Service and assign the the rules and rules.



Next, create the cascading Virtual Services which will be used as Real Servers within the SubVSs.

In the WUI, go to Virtual Services > Add New and enter the Virtual Address, for example


Repeat the steps for (SNI

Within these cascading Virtual Services, enable SSL Acceleration and Reencrypt and insert the SNI of

In the relevant Virtual Service modify screen, expand the SSL Properties and enter as the Reencryption SNI Hostname.

The Real Server Check Method should be set to None since the "parent" Virtual Service will be doing the health checks. 


 Repeat these steps for the other cascading Virtual Service of (


Once completed, your configuration should look similar this:


Finally, examining a packet capture of the back-end traffic verifies that the LoadMaster is sending different SNIs to the Real Servers.


Was this article helpful?
0 out of 0 found this helpful




doesn't seem to work in 7.2.38



Permanently deleted user

Hi kmaley. I just checked, and this is working in 7.2.38.

It may be best to open up a support case so we can look into your config.



Boris Wagener


where do I assign the certificates for and Both in the parent or in directly into each child ?




Frankie Cotto

Hi it-support,

That is correct. All certificates should be applied to the parent virtual service. As for the child virtual service only the corresponding certificate is required.