Reset Search
 

 
Article

KB40489 - Support for Server Name Indication (SNI) on Pulse Connect Secure device

Printable View
« Go Back

Information

 
Last Modified Date11/16/2020 8:59 PM
Synopsis
This article provides information regarding the Pulse Connect Secure support for Server Name Indication (SNI) 
Problem or Goal
If the backend web server has the Server Name Indication(SNI) enabled and the resource is accessed via Core access mechanism, end users will not be able to access the web resource resulting with the error message: 
​Cannot establish a secure connection to the URL. Check if this connection 
requires 'http:' instead of 'https:'. If the problem persists, contact your 
system administrator. Made https request for GET / HTTP/1.1 to <host>:<port>
Cause
To identify if SNI is enabled on the backend web server, take a direct wire shark capture by accessing the web resource. Below snippet is an example where the “Server Name Indication extension “ is present on the Server Hello message. 
Handshake Protocol: Server Hello 
Version: TLS 1.2 (0x0303) 
Random 
GMT Unix Time: Sep 15, 2016 18:39:01.000000000 India Standard Time 
Random Bytes: 8b689cd5869c16539eef7e3351e0e5b73261614de7234276... 
Session ID Length: 0 
Cipher Suites Length: 56 
Cipher Suites (28 suites) 
Compression Methods Length: 1 
Compression Methods (1 method) 
Extensions Length: 85 
Extension: server_name 
Type: server_name (0x0000) 
Length: 32 
Server Name Indication extension
Solution
Starting from 8.3R1 release, PCS supports the use of Server Name Indication (SNI) SSL extension when communicating to a backend resource. SNI is typically enabled on backend servers (i.e. Atlassian Cloud login, Office 365 login page, etc)  to support multiple hostnames on the same IP address without having to resort to wildcard certificates.

SNI support is enabled for
  1. Rewriter
  2. PTP
  3. SAML
  4. JSAM
  5. WSAM
  6. Pulse One
  7. License server
  8. CRL
  9. ActiveSync
  10. Syslog
  11. SCEP
For more information, refer to the admin guide.

SNI is not supported until the following scenarios:
  1. OCSP
  2. LDAPS
  3. PushConfig
  4. Pulse Desktop Client connecting to load balancer, proxy or other intermediate software that required SNI (i.e CloudFlare Proxy, etc)
Related Links
Attachment 1 
Created ByHarsha Vardhan

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255