SNI TLS Extension
Server Name Indication (SNI) is an extension to the TLS protocol by which a TLS client indicates which hostname it is attempting to connect to at the start of the handshake process. This allows TLS Web server to present multiple certificates serving multiple secure (HTTPS) websites for the same IP address and TCP port number without requiring to use the same certificate for multiple websites.
SNI is supported only when ICS is acting as a TLS Client. ICS sends SNI server name extension when the Backend Server is accessed using hostname and not IP address. If the backend server has the SNI capability, then it responds with a certificate matching the hostname sent in the SNI server name extension or else it responds with a default certificate.
Some Backend Web Server has Strict SNI Capability which doesn't allow TLS connection when SNI server name extension is not sent in TLS handshake. This behavior will be seen when Backend Server is accessed using IP address by the PCS.
Following are the ICS supported TLS Backend Applications that support and do not support SNI:
ICS Supported TLS Backend Applications that Support or Do not Support SNI
|
Backend Application |
Supported |
|
Rewriter |
Yes |
|
PTP |
Yes |
|
SAML |
Yes |
|
JSAM |
Yes |
|
PSAM |
Yes |
|
Pulse One |
Yes |
|
License Server |
Yes |
|
CRL |
Yes |
|
ActiveSync |
Yes |
|
Syslog |
Yes |
|
SCEP |
Yes |
|
OCSP |
No |
|
LDAPS |
No |
|
PushConfig |
No |