Multiple back end servers accepting 443


Hello all, I have a question about possible SNI setup or something like it.  Here is what I am trying to do.  I have 3 different servers on my backend that respond to 443 for different applications. 1 is a web server, 1 is a rdp server that uses RDP over 443 and then I have vmware I want access to from 443.  I know I could do this by redirecting say 8443 > 443 and 8444 > 443 and so on but I am in a situation most of the day that only 443 and 80 are open.  If I even attempt to put in name:port it is blocked no matter what.  So I have to keep things in the realm of 443 in all traffic. 

From what I am reading SNI is what I want but I do not fully understand it and what I need to do to get it working in my environment.  Correct me if I am wrong here but what I think is that I can stand up my own CA and issue 3 different hostname certificates.  Then go to godaddy or similar and assign 3 a records all pointing to my home ip.  Then I would add those 3 certificates to Kemp under the VIP I have setup for this so say I have goes to web server and goes to my rdp server.  Now depending on what address I use I would get the correct service I need?

Thanks for any help you can provide.

1 comment

Mark Deegan

Hello Bo,

indeed under SSL properties on the VIP you may enable "Require SNI hostname" and put all three certificates on the VIP. this will accept traffic from the outside but will direct it in to all the servers inside with the hostname request attached. This will not solve your issue as it does not sort the incoming traffic based on the requested hostname it only passes on the SNI information to the servers so they will respond with the correct web address for the request.

What would work if you load was only http requests would be to create 3 SUB VS's and add only the servers that host those services on the back end attached to those SUB VS's and use content rules to sort the incoming traffic. The problem here is the RDS or VMware request may not be able to be sorted in this manner but it is worth a try. Please see our document on content rules.