Point to Note:

• SNI must be enabled on the front end and the correct SNI certificate bound to the SSL virtual server. If you don’t enable SNI on the front end, the SNI information is not passed to the back end.

• When server authentication is enabled, the server certificate is verified by the CA certificate and common name/SAN entries in the server certificate are matched with the SNI. Therefore, the CA certificate must be bound to the service.

• Reuse of back-end connection and SSL session is based on SNI when dynamic SNI is enabled.

SSL monitors do not send SNI when dynamic SNI is enabled. For SNI based probing, attach a back-end profile on which static SNI is configured to the SSL monitors. The monitor must be configured with the same custom header as SNI.

Configure SNI on the back-end service by using the CLI

At the command prompt, type:

    add service <name>  <IP>  <serviceType>  <port>

    add lb vserver <name>  <IPAddress> <serviceType>  <port>

    bind lb vserver <name> <serviceName>

    set ssl service <serviceName> -SNIEnable ENABLED -commonName <string>

    set ssl profile <name> -SNIEnable ENABLED
    
Configure SNI on the back-end service by using the GUI

    Navigate to Traffic Management > Load Balancing > Services.
    Select an SSL service, and in Advanced Settings, click SSL Parameters.
    Click SNI Enable.

The Citrix ADC appliance supports dynamic SNI on the back-end TLS connections. That is, the appliance learns the SNI in the client connection and uses it in the server-side connection. You no longer need to specify a common name in the SSL service, service group, or profile. The common name received in the SNI extension of the Client Hello message is forwarded to the back-end SSL connection.

https://docs.citrix.com/en-us/citrix-adc/downloads/release-notes-13-0-36-27.html