Technical Tip: Enable SNI Forward Flag

FortiADC

FortiADC enhances the scalability, performance, and security of your applications whether they are hosted on premises or in the cloud.

Article Id 322725

Description

This article describes how to enable SNI forward flag and verify TLS SNI extension is forwarded to real server.

Scope

FortiADC, FortiADC-VM.

Use Case: Real server pool with server SSL profile.

Solution

A predefined server SSL profile, by default, has the SNI Forward Flag option disabled. As a result, SNI is not forwarded to the real server, and if the real server requires SNI, the requested resources may not be responded properly.

Missing SNI towards real server pool example

Create a new or clone existing server SSL profile to be used in Real Server Pool configuration.

From GUI:

Navigate to Server Load Balance -> Real Server Pool -> Server SSL.
Select Create New or clone existing profile.
Define another setting where required.
Enable SNI Forward Flag.
Select Save.
Associate server SSL profile to respective Real Server Pool.

Result:

Note:

In v7.2.1 and later, a custom SNI field can be used to overwrite the SNI sent by the user.

For more information on real server SSL profiles:
Configuring Real Server SSL profiles

738

Contributors

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Technical Tip: Enable SNI Forward Flag

You are leaving our website