0

I have a Netscaler which is mainly acting as a SSL bridge for a bunch of sites. I would like to see every requested hostname that is going to the Netscaler but I am unable to fix it.

The hostname is not encrypted in the SSL session so I should be able to see the hostname, though I use SSL_BRIDGE, right?

At the moment I am using a responder policy which logs all source IPs, but I'd like to add the hostname to the logging as well.

Is there anyone that can help me with this and get me on the right track?

krt
  • 274
  • 1
  • 2
  • 12

1 Answers1

0

I'm not sure this can be done on the NetScaler.

You wrote:

The hostname is not encrypted in the SSL session

A passive man-in-the-middle (like your NetScaler running in SSL_BRIDGE mode) can observe the servername only during SSL session setup.

Namely inside the SSL/TLS "SNI" (Server Name Indication) extension. (And some firewalls use SNI to block HTTPS hosts.)

In every packet afterwards the name is NOT exposed anymore.

And I don't know if NetScaler allows you to access that information.

At least on my 10.5 box there is no such option. Screenshot of NS expression builder

Also no luck in the 11.0 documentation for the Client.SSL context. (Archived here.)

I suggest you try asking this question on the NetScaler ADC forum. Maybe they will have a more definitive answer.

StackzOfZtuff
  • 1,842
  • 13
  • 21