The Okta Access Gateway (OAG) appliance does not send the SNI field in the client hello packet by default when trying to establish the TLS connection.

• Okta Access Gateway (OAG)

According to the AWS documentation:

•  "For HTTPS traffic, Network Firewall uses the Server Name Indication (SNI) extension in the TLS handshake to determine the hostname, or domain name, that the client is trying to connect to."

The directives needed to add this option are enabled by default.

Under the root application policy, add the below:

proxy_ssl_name $host;
proxy_ssl_server_name on;

Related References

• More information on the directives can be found in proxy_ssl_server_name.