This topic describes the security related details. What to read next Overview of NSX Advanced Load Balancer SecurityThis section is focused on the security of NSX Advanced Load Balancer Service Engines and Controllers. SSL CertificatesNSX Advanced Load Balancer supports terminating client SSL and TLS connections at the virtual service, which requires it to send a certificate to clients that authenticate the site and establishes secure communications. Multi-level Domain Support for SSLNSX Advanced Load Balancer SSL support includes multi-level domain name support. Multi-level domain support allows a pool to be configured with a list of multiple domain names for server certificate verification. During SSL session setup between a back-end server and the Service Engine (SE), the NSX Advanced Load Balancer checks the server’s certificate for the domain names listed in the pool. If any of the domain names are found in the certificate, the SSL session is allowed. However, if the certificate presented by the back-end server does not contain any of the domain names listed in the pool, the SSL session is not allowed. OCSP Stapling in NSX Advanced Load BalancerOnline certificate status protocol (OCSP) stapling is an extension of the OCSP protocol. The validity of SSL/ TLS certificates can be checked using OCSP stapling. This section discusses OCSP Stapling in detail. Client SSL Certificate ValidationThis article explains the application profiles and PKI profile configurations. Client-IP-based SSL ProfilesTo terminate the client SSL connections, both the SSL profile and SSL certificate must be assigned to the virtual service. The NSX Advanced Load Balancer can accommodate a broader set of security needs within a client community by associating multiple SSL profiles with a single virtual service, and it can allow the Service Engines to choose based on the client’s IP address. SSL/ TLS ProfileThe NSX Advanced Load Balancer supports the ability to terminate SSL connections between the client and the virtual service, and to enable encryption between NSX Advanced Load Balancer and the back-end servers. SSL Client Cipher in Application Logs on NSX Advanced Load BalancerNSX Advanced Load Balancer supports capturing of SSL client’s ciphers details in the application logs on NSX Advanced Load Balancer. It records ciphers sent by a client in the client hello SSL packet. The ciphers details used to establish an SSL connection with a virtual service is available in the application log. Server Name IndicationServer Name Indication, or SNI, is a method of virtual hosting multiple domain names for an SSL enabled virtual IP. A single VIP is advertised for multiple virtual services. When a client connects to the VIP, the NSX Advanced Load Balancer begins the SSL/ TLS negotiation, and chooses a virtual service or an SSL certificate, only when the client has requested the site by name through the domain field of the TLS hello packet. If the requested domain name is configured on the virtual IP, the appropriate certificate is returned to the client and the connection is bound to the proper virtual service. True Client IP in L7 Security FeaturesThis section discusses the advantages of using True Client IP and its configuration. App Transport SecurityWith iOS 9 and later, Apple has mandated minimum security settings to comply with their App Transport Security (ATS) standard. To enable this level of SSL security for applications proxies by NSX Advanced Load Balancer, use the following settings for SSL/ TLS Certificates and SSL/ TLS Profiles. Venafi IntegrationThe NSX Advanced Load Balancer can be set up to integrate with the Venafi Trust Protection Platform™ for automation of SSL and TLS certificate life-cycle management. All certificates will be protected and controlled through TPP. This process is transparent to the NSX Advanced Load Balancer Controllers.