Technical Tip: Server Name Indication (SNI)

Deepak_Girimaji_FTNT · ‎06-08-2022

Description

This article describes how to allow FortiWeb to support multiple server certificates.

Scope

FortiWeb firmware version 6.3.X, 7.0.X

Solution

To allow FortiWeb to support multiple certificates, the Server Name Indication (SNI) configuration is needed.

Step 1: SNI policy configuration.
--------------------------------------------------------------------------------------------------------
1) Go to Server Objects -> Certificates -> Local.

2) Import all the server certificates.

3) Go to Server Objects -> Certificates -> Inline SNI.

4) Create a profile, and under this profile, again select on 'Create new'.

5) Specify the domain, select the local certificates and corresponding Intermediate CA group if any.

6) Repeat Step 4 and 5 to add all the server certificates (which are hosted on the single server) in the SNI group.

Reference: Section 'To create an inline Server Name Indication (SNI) configuration' from the following link.

https://docs.fortinet.com/document/fortiweb/6.3.19/administration-guide/595664/how-to-offload-or-ins...

https://docs.fortinet.com/document/fortiweb/7.0.1/administration-guide/595664/how-to-offload-or-insp...
--------------------------------------------------------------------------------------------------------

Step 2: Server policy configuration for SNI.
--------------------------------------------------------------------------------------------------------
1) Once selected HTTPS service in the server policy, 'Advanced SSL settings' would be visible.

2) Select 'Advanced SSL settings'.

3) Enable 'Enable Server Name Indication(SNI)'.

4) Under 'SNI Policy', select the new SNI group configured using all the server certificates.

5) Select OK.
--------------------------------------------------------------------------------------------------------

Step 3: (This is necessary if the real server allows only HTTPS service).
--------------------------------------------------------------------------------------------------------
1) Go to Server Objects > Server Pool.

2) Edit the appropriate server pool entry.

3) Double click the pool member.

4) Enable 'Enable Server Name Indication(SNI) Forwarding' under 'Advanced SSL settings'.

CLI syntax:

# config server-policy server-pool
edit "<server-pool_name>"
# config pserver-list
edit <entry_index>
set server-side-sni enable
next
end
next
end

Note.

Server side SNI would be necessary if backend connection is over HTTPS. As the server has multiple certificates, it should know which certificate should be presented during SSL handshake.

With the above configuration, FortiWeb forwards the request from client to server with SNI extension which is verified by the server to present appropriate certificate.

Reference: Section 'Configuring server-side SNI support' from the link below.

https://docs.fortinet.com/document/fortiweb/6.3.19/administration-guide/399384/defining-your-web-ser...
https://docs.fortinet.com/document/fortiweb/7.0.1/administration-guide/399384/defining-your-web-serv...

--------------------------------------------------------------------------------------------------------