charite
Contributor
Contributor

create a LB Service Monitor for https with SNI

Jump to solution

Hello,

is it possible to create a NSX Edge Loadbalancer Service Monitor, that is able to monitor a webserver with different websites/certifcates/SNI?!

I have no idea how to configure the Service Monitor for a specific website/DNS-name.

Thanks!

0 Kudos
1 Solution

Accepted Solutions
lhoffer
VMware Employee
VMware Employee

Got it, unfortunately NSX-V doesn't support SNI today so doesn't sound like you'll be able to query the individual pages on the backend servers in this case so none of the HTTP headers you can add in existing service monitors will be visible to the server if they don't use the right certificate to try to decrypt the traffic.

View solution in original post

4 Replies
lhoffer
VMware Employee
VMware Employee

Yes, you can specify a URL/path when you create a service monitor to point to different pages on the same server as shown below.  Main limitation is that you can only have one service monitor per pool so while you'd need to have the same server(s) be member(s) of multiple pools (one for each path you want to check).

pastedImage_0.jpg

You can also set and look for other things in the request/response of the health check as detailed in the Create a Service Monitor​ section of the admin guide.

charite
Contributor
Contributor

Thank you! But in my case, the websites not called by different URL/path.

The servers uses SNI (https://en.wikipedia.org/wiki/Server_Name_Indication), for the selection of the right website

I tried also the header option (https://docs.vmware.com/en/VMware-NSX-for-vSphere/6.4/com.vmware.nsx.admin.doc/GUID-F5546977-F0A6-43...​) in the extension field. (header="Host: app1.xyz.com)

Thanks.

0 Kudos
lhoffer
VMware Employee
VMware Employee

Got it, unfortunately NSX-V doesn't support SNI today so doesn't sound like you'll be able to query the individual pages on the backend servers in this case so none of the HTTP headers you can add in existing service monitors will be visible to the server if they don't use the right certificate to try to decrypt the traffic.

View solution in original post

charite
Contributor
Contributor

Thank you, for clarification.

I thought there is a way, in some older some older NSX documentations (https://pubs.vmware.com/NSX-6/index.jsp?topic=%2Fcom.vmware.nsx.admin.doc%2FGUID-F5546977-F0A6-43E0-... ) I found a option for sni, but without detailed description.

0 Kudos