ADC

Configure SSL action to forward client traffic if the appliance does not have a domain specific (SNI) certificate

Note: This feature is available in release 12.1 build 49.x and later.

In the client hello message, if you receive a request for a domain for which the certificate is not available on the appliance, you can configure an SSL action to forward the client traffic to a different virtual server. If you do not want SSL offload on the appliance, forward the traffic to a virtual server of type TCP or SSL_BRIDGE. For SSL offload, forward the traffic to an SSL virtual server. In the following example, we have configured an SSL virtual server as the forward virtual server. This setting ensures that all the connections that fail because of a missing SNI certificate on the original virtual server are successful on the forward virtual server.

Perform the following steps:

  1. Add a load balancing virtual server of type SSL (For example, v1). Client traffic is received on this virtual server.
  2. Add an SSL service with port 443.
  3. Bind this service to the SSL virtual server.
  4. Add another load balancing virtual server of type SSL to forward the traffic to. (For example,fwd-vserver).
  5. Add a service and bind it to this virtual server.
  6. Bind this service to the SSL virtual server.
  7. Add an SSL action specifying the SSL virtual serverfwd-vserverin the ‘forward’ parameter.
  8. Add an SSL policy specifying the above action if a specific domain name (SNI) is received in the client hello message.
  9. Bind this policy to the SSL virtual server v1.
  10. Save the configuration.

Configuration using the CLI

Configuration for the SSL virtual server to which to forward the traffic

add lb vserver fwd-vserver SSL 10.102.57.184 443 add ssl certkey sv -cert complete/server/server_rsa_2048.pem -key complete/server/server_rsa_2048.ky bind ssl vserver fwd-vserver -certkeyName sv bind ssl vserver fwd-vserver -certkeyName cacert -CA add service ssl-service2 10.102.113.150 SSL 443 bind lb vserver fwd-vserver ssl-service2 

Configuration for the SSL virtual server that originally receives client traffic

add service ssl-service 10.102.113.155 SSL 443 add lb vserver v1 SSL 10.102.57.186 443 bind ssl vserver v1 -certkeyName sv bind lb vserver v1 ssl-service set ssl vserver v1 -sni ENABLED add ssl certKey snicert2 -cert /nsconfig/ssl/complete/SNI/server/serverabc.pem -key /nsconfig/ssl/complete/SNI/server/serverabc.ky add ssl certKey snicert -cert /nsconfig/ssl/complete/SNI/server/serverabcnetscaler.pem -key /nsconfig/ssl/complete/SNI/server/serverabcnetscaler.ky bind ssl vserver v1 -certkeyName snicert -sniCert bind ssl vserver v1 -certkeyName snicert2 -sniCert add ssl action act1 -forward fwd-vserver add ssl policy pol1 -rule client.ssl.client_hello.sni.contains("xyz") -action act1 bind ssl vserver v1 -policyName pol1 -type CLIENTHELLO_REQ -priority 1 
sh ssl vserver v1 Advanced SSL configuration for VServer v1: DH: DISABLED DH Private-Key Exponent Size Limit: DISABLED Ephemeral RSA: ENABLED Refresh Count: 0 Session Reuse: ENABLED Timeout: 120 seconds Cipher Redirect: DISABLED SSLfwd-vserver Redirect: DISABLED ClearText Port: 0 Client Auth: DISABLED SSL Redirect: DISABLED Non FIPS Ciphers: DISABLED SNI: ENABLED OCSP Stapling: DISABLED HSTS: DISABLED HSTS IncludeSubDomains: NO HSTS Max-Age: 0 SSLfwd-vserver: DISABLED SSLv3: ENABLED TLSv1.0: ENABLED TLSv1.1: ENABLED TLSv1.2: ENABLED TLSv1.3: DISABLED Push Encryption Trigger: Always Send Close-Notify: YES Strict Sig-Digest Check: DISABLED Zero RTT Early Data: DISABLED DHE Key Exchange With PSK: NO Tickets Per Authentication Context: 1 ECC Curve: P_256, P_384, P_224, P_521 1) CertKey Name: sv Server Certificate 2) CertKey Name: snicert2 Server Certificate for SNI 3) CertKey Name: snicert Server Certificate for SNI Data policy 1) Policy Name: pol1 Priority: 1 1) Cipher Name: DEFAULT Description: Default cipher list with encryption strength >= 128bit Done 
sh ssl policy pol1 Name: pol1 Rule: client.ssl.client_hello.sni.contains("xyz") Action: act1 UndefAction: Use Global Hits: 0 Undef Hits: 0 Policy is bound to following entities 1) Bound to: CLIENTHELLO_REQ VSERVER v1 Priority: 1 Done 
sh ssl action act1 1) Name: act1 Type: Data Insertion Forward to: fwd-vserver Hits: 0 Undef Hits: 0 Action Reference Count: 1 Done 
sh ssl vserver fwd-vserver Advanced SSL configuration for VServer fwd-vserver: DH: DISABLED DH Private-Key Exponent Size Limit: DISABLED Ephemeral RSA: ENABLED Refresh Count: 0 Session Reuse: ENABLED Timeout: 120 seconds Cipher Redirect: DISABLED SSLfwd-vserver Redirect: DISABLED ClearText Port: 0 Client Auth: DISABLED SSL Redirect: DISABLED Non FIPS Ciphers: DISABLED SNI: DISABLED OCSP Stapling: DISABLED HSTS: DISABLED HSTS IncludeSubDomains: NO HSTS Max-Age: 0 SSLfwd-vserver: DISABLED SSLv3: ENABLED TLSv1.0: ENABLED TLSv1.1: ENABLED TLSv1.2: ENABLED TLSv1.3: DISABLED Push Encryption Trigger: Always Send Close-Notify: YES Strict Sig-Digest Check: DISABLED Zero RTT Early Data: DISABLED DHE Key Exchange With PSK: NO Tickets Per Authentication Context: 1 ECC Curve: P_256, P_384, P_224, P_521 1) CertKey Name: sv Server Certificate 1) Cipher Name: DEFAULT Description: Default cipher list with encryption strength >= 128bit Done 
Configure SSL action to forward client traffic if the appliance does not have a domain specific (SNI) certificate