Citrix Netscaler SSL Setup

Netscaler Load Balancer | By

001 Netscaler SSL Setup Overview

 

The NetScaler appliance provides several methods for handling SSL/TLS traffic, each with a different approach to encryption and decryption. 

Here is a summary of the three NetScaler SSL deployment modes:

SSL offloading:

With SSL offloading, the NetScaler appliance terminates the secure SSL/TLS connection from the client and decrypts the traffic. It then forwards the traffic to the backend server as unencrypted HTTP. 

  1. A client initiates a secure HTTPS connection to the NetScaler.
  2. The NetScaler uses its own SSL certificate to decrypt the traffic.
  3. The appliance forwards the request to the backend server over a standard, unencrypted HTTP connection.
  4. The server responds via HTTP to the NetScaler, which then re-encrypts the data and sends it back to the client.

SSL bridging:

SSL bridging is a configuration that maintains end-to-end encryption from the client to the backend server, but allows the NetScaler to decrypt and inspect the traffic in between.

  1. The client establishes an HTTPS connection with the NetScaler, which has its own SSL certificate.
  2. The NetScaler decrypts the incoming traffic.
  3. The appliance inspects the clear-text data for Layer 7 functions (e.g., load balancing, content inspection).
  4. The NetScaler then initiates a new, separate HTTPS connection to the backend server, re-encrypting the traffic using the server’s own SSL certificate.

End-to-end SSL:

This term can refer to the SSL bridging configuration described above, where the traffic is encrypted for the entire journey from client to server. However, the simplest form of end-to-end SSL is a pass-through configuration, sometimes also called “SSL bridge,” where the NetScaler does not participate in the encryption process at all.

  1. A client initiates an HTTPS connection to the NetScaler.
  2. The NetScaler forwards the encrypted traffic directly to the backend server without any decryption.
  3. The backend server is responsible for decrypting the traffic using its own SSL certificate.

 

002 Deploying SSL Offload

 

Prerequisites for configuring SSL offloading:

1. The SSL certificate and private key
2. The Virtual IP (VIP) address
3. Service configuration details
4. A list of backend servers

Configuring using GUI:
1. Create a Load Balancing Virtual Server

2. Bind the services

3. Generate a self-signed certificate for a VIP

  1. Create a private key (Traffic Management > SSL > SSL Files)
  2. Create a Certificate Signing Request (CSR) 
  3. Download the CSR
  4. Using Linux server with OpenSSL to sign the Certificate Signing Request (CSR) from your NetScaler
    • Generate a root key for your CA – openssl genrsa -aes256 -out ca.key 2048
    • Create a self-signed root certificate for your CA – openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.pem
    • Sign the NetScaler’s CSR –openssl x509 -req -in client1_vip_csr.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out vip_cert.cer -days 365 -sha256
  5. Install the certificates on the NetScaler
    • Transfer the two new files vip_cert.cer & ca.pem
    •  
    •  
  6. Link your new server certificate to the CA certificate you just installed. This establishes the chain of trust for your internal PKI.
  7. Bind the new certificate-key pair to your SSL virtual server. 

Result:

 

003 Deploying SSL Bridge

 

One key point to remember is that when performing SSL bridging, the backend servers must have valid SSL certificates installed.

enable ns feature LB

# Backend servers
add server s1 192.0.2.100
add server s2 192.0.2.200

# Services pointing to backend SSL ports
add service client1_svc1 s1 TCP 8888
add service client1_svc2 s2 TCP 8888

# Services pointing to backend SSL ports
add service client2_svc1 s1 TCP 9999
add service client2_svc2 s2 TCP 9999

# TCP vServer for SSL passthrough
add lb vserver client1_vip TCP 10.99.99.10 443
bind lb vserver client1_vip client1_svc1
bind lb vserver client1_vip client1_svc2

# TCP vServer for SSL passthrough
add lb vserver client1_vip TCP 10.99.99.10 443
bind lb vserver client2_vip client2_svc1
bind lb vserver client2_vip client2_svc2

Configuring using GUI:

1. Traffic Management >Load balancing > Servers

2. Traffic Management >Load balancing > Services > Services

3. Traffic Management >Load balancing > Virtual Servers

Result:

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Subscribe
Subscribe