SSL Virtual Servers-CSDN博客

Navigation

This page contains generic SSL instructions for all SSL-based Virtual Servers, including: Load Balancing, Citrix Gateway, Content Switching, and AAA.

Change Log
Preparation:
- Custom Cipher Group
- Strict Transport Security Rewrite Policy
- SSL Profiles – Default and Custom
SSL vServer Configuration – Bind Cert, Ciphers, ECC, and enable HSTS
SSL Test
SSL Redirect Methods:

? = Recently Updated

Change Log

2019 Mar 4 – SSL Redirect – Responder Method – changed AlwaysUp service IP to a fake IP instead of a loopback IP
2018 Dec 2 – Custom Cipher Group – added TLS 1.3 ciphers
2018 Sep 27 – added link to Netscaler SSL Protocol’s Used (SSLv3, TLS1.0, etc) at Citrix Discussions.
- Updated several screenshots for ADC 12.1
2018 May 19 – updated Custom Cipher Group with info from Citrix Blog Post Scoring an A+ at SSLlabs.com with Citrix NetScaler – Q2 2018 update
2018 Feb 1 – In SSL Profiles section, add conversion script info from Enabling the Default Profiles at Citrix Docs

Custom Cipher Group

NetScaler 12.0 build 59 and newer have TLS 1.2 ciphers in the DEFAULT_BACKEND cipher group. Prior builds of NetScaler 12.0 do not include these ciphers.

References:

Citrix Blog Post Scoring an A+ at SSLlabs.com with Citrix NetScaler – Q2 2018 update
Ciphers available on the Citrix ADC appliances at Citrix Docs
Ryan Butler has a PowerShell script at Github that can automate NetScaler SSL configuration to get an A+

To get an A+ at SSL Labs, create a custom secure cipher group:

Enable SSL Secure Renegotiation.
1. On the left, go to Traffic Management > SSL.
2. On the right, in the right column, click Change advanced SSL settings.
3. Find Deny SSL Renegotiation, and set the drop-down to NONSECURE.
4. Scroll down and click OK.
```
set ssl parameter -denySSLReneg NONSECURE
```

The easiest way to create a cipher group is from the CLI. See Citrix Blogs Scoring an A+ at SSLlabs.com with Citrix NetScaler – Q2 2018 update for cipher group CLI commands. Putty (SSH) to the NetScaler and paste the following commands.

Note: The TLS 1.3 ciphers are not in the Citrix Blog Post. If your NetScaler build supports TLS 1.3, then you can add TLS 1.3 ciphers to the cipher group. Make sure the TLS 1.3 ciphers listed first (top of the list).

add ssl cipher ssllabs-smw-q2-2018
bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1.3-AES256-GCM-SHA384 -cipherPriority 1
bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1.3-CHACHA20-POLY1305-SHA256 -cipherPriority 2
bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1.3-AES128-GCM-SHA256 -cipherPriority 3
bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1.2-ECDHE-ECDSA-AES128-GCM-SHA256
bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1.2-ECDHE-ECDSA-AES256-GCM-SHA384
bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1.2-ECDHE-ECDSA-AES128-SHA256
bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1.2-ECDHE-ECDSA-AES256-SHA384
bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1-ECDHE-ECDSA-AES128-SHA
bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1-ECDHE-ECDSA-AES256-SHA
bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256
bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384
bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1-ECDHE-RSA-AES128-SHA
bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1-ECDHE-RSA-AES256-SHA
bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1.2-DHE-RSA-AES128-GCM-SHA256
bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1.2-DHE-RSA-AES256-GCM-SHA384
bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA
bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA
bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1-AES-128-CBC-SHA
bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1-AES-256-CBC-SHA

Or you can create the cipher group using the GUI.
1. Go to Traffic Management > SSL > Cipher Groups.
  1. On the right, click Add.
  2. Name it SSL Labs or similar.
  3. In the middle, click Add.
  4. Use the search box to find a particular cipher.
  5. Check the box next to one of the results, and click the arrow to move it to the right.
  6. For TLS 1.3 support, add the TLS 1.3 ciphers first.
  7. Then add the ciphers from Citrix Blog Post Scoring an A+ at SSLlabs.com with Citrix NetScaler – Q2 2018 update.
  8. Use the up and down arrows to order the ciphers. NetScaler prefers the ciphers on top of the list, so the ciphers at the top of the list should be the most secure ciphers (TLS 1.3).
2. Click Create when done.

Strict Transport Security – Rewrite Policy Method

To get an A+ at SSLLabs.com, you need to insert the Strict-Transport-Security HTTP header in the responses. NetScaler Rewrite Policy is one method of doing this. Another method is to enable HSTS in an SSL Profile, or enable it in SSL Parameters on a SSL vServer.

To create a Rewrite Policy that inserts the Strict-Transport-Security HTTP header:

On the left, expand AppExpert, right-click Rewrite, and click Enable Feature.
Create the Rewrite Action:
1. Go to AppExpert > Rewrite > Actions.
2. On the right, click Add.
3. Name the action insert_STS_header or similar.
4. The Type should be INSERT_HTTP_HEADER.
5. The Header Name should be Strict-Transport-Security.
6. The Expression should be the following:
```
"max-age=157680000"
```
7. Click Create.
Create the Rewrite Policy:
1. On the left, go to AppExpert > Rewrite > Policies.
2. On the right, click Add.
3. Name it insert_STS_header or similar.
4. Select the previously created Action.
5. In the Expression box, enter HTTP.REQ.IS_VALID.
6. Click Create.
Now you can bind this Rewrite Response policy to HTTP-based SSL vServers.
1. When editing an SSL vServer (Gateway vServer, Load Balancing vServer, etc.), if the Policies section doesn’t exist on the left, then add it from the Advanced Settings column on the right.
2. On the left, in the Policies section, click the plus icon.
3. Change the Choose Policy drop-down to Rewrite.
4. Change the Choose Type drop-down to Response, and click Continue.
5. Click where it says Click to select.
6. Click the radio button next to insert_STS_header, and click Select.
7. Click Bind.

enable ns feature rewrite

add rewrite action insert_STS_header insert_http_header Strict-Transport-Security "\"max-age=157680000\""

add rewrite policy insert_STS_header true insert_STS_header

bind lb vserver MyvServer -policyName insert_STS_header -priority 100 -gotoPriorityExpression END -type RESPONSE

SSL Profiles – Custom and Default

You can use SSL Profiles to package several SSL settings together, and apply the settings package (Profile) to SSL-based Virtual Servers and SSL-based Services. These SSL settings include:

Disable SSLv3
Bind secure ciphers
Bind ECC curves
Enable HSTS (Strict Transport Security), etc.

There are default SSL Profiles, and there are custom SSL Profiles. The default SSL Profiles are disabled by default, because they would impact every SSL-based Virtual Server and Service on the appliance. Once default SSL Profiles are enabled, you cannot disable the default SSL Profiles.

Some features of custom SSL Profiles require default SSL Profiles to be enabled. For example, you cannot configure ciphers in a custom SSL Profile unless the default SSL Profiles are enabled.

Default SSL Profiles are intended to provide a baseline SSL configuration for all newly created SSL Virtual Servers and SSL Services. You can still create Custom SSL Profiles to override the Default SSL Profiles.

Enabling the default SSL profile will wipe out any SSL configuration on SSL entities (e.g. SSL Virtual Servers) that do not have a custom SSL profile bound. Citrix offers a script that can read your existing SSL entity SSL configuration and convert them to custom SSL Profiles. See Enabling the Default Profiles at Citrix Docs. The default_profile_scriptcan be downloaded from an individual NetScaler ADC firmware download page under Additional Components. The commands output by the script won’t work until the default SSL Profile is enabled. ?

To enable Default SSL profiles

Enabling Default SSL Profiles is irreversible.

Make sure you are connected to the appliance NSIP using http, and not https.
Go to Traffic Management > SSL.
On the right, in the right column, click Change advanced SSL settings.
Near the bottom, check the box next to Enable Default Profile. Note: this will change SSL settings on all SSL Virtual Servers to match the default SSL profile. You might want to do this during a maintenance window.
Click OK to close Change Advanced SSL Settings.
If you go back into Change Advanced SSL Settings, notice that the Default Profile is enabled, and there’s no way to disable it.

To create a custom SSL Profile

On the left, expand System, and click Profiles.
On the right, switch to the SSL Profile tab.
1. Click Add.
2. Enter a name.
3. Change the SSL Profile Type to FrontEnd or BackEnd.
4. Configure SSL Profile settings as desired (see below for some recommendations).
After the SSL Profile is created, edit any SSL-based Virtual Server.
1. On the right, in the Advanced Settings column, click SSL Profile to add the section.
2. On the left, scroll down to the SSL Profile section, and select an SSL Profile. Click OK to close the SSL Profilesection.

Recommended SSL Profile Settings

On the left, expand System, and click Profiles.
On the right, switch to the SSL Profile tab.
Either create a new SSL Profile, or edit the default frontend or backend profile. This section focuses on a FrontEnd profile.
1. Frontend = client-side connections to SSL Virtual Servers.
2. Backend = server-side connections (SSL Services and Service Groups).
Click the pencil icon in the Basic Settings section.
1. Scroll all the way down to the Protocol section.
2. Notice that SSLv3 is already unchecked.
3. You can optionally uncheck TLSv1 and TLSv11.
4. TLSv13 is an option in NetScaler 12.1 build 49 and later. If you enable this, then make sure your cipher group includes TLS 1.3 ciphers.
  - To log SSL Protocol usage, see NetScaler SSL Protocol’s Used (SSLv3, TLS1.0, etc) at Citrix Discussions.
5. To enable Strict Transport Security (HSTS), scroll up a little, and check the box next to HSTS.
6. Enter 157680000 in the Max Age box.
7. Note: enabling HSTS in the Default SSL Profile seems to break Native OTP. Enabling HSTS in a Rewrite policyworks fine.
8. If you do any SSL Offload (SSL on the client side, HTTP on the server side), then you’ll need to enable SSL Redirect. It’s above HSTS. With this option enabled, any 301/302 redirects from the server with HTTP Location headers are rewritten to HTTPS Location headers. You might need this option for StoreFront load balancing if doing SSL Offload (port 80 to the StoreFront servers). Note: this setting might be more appropriate in a customSSL Profile instead of the default SSL Profile.
9. Click OK when done modifying the Basic Settings section.
Scroll down to the SSL Ciphers section, and click the pencil icon.
1. Click Remove All, and click OK. You must click OK before binding the custom cipher group.
2. Click the pencil icon again.
3. Click Add.
4. Scroll down, and select your custom cipher group (e.g. SSL Labs). Click the arrow to move it to the right.
  If you enabled TLS 1.3, then make sure your cipher group includes TLS 1.3 ciphers.
5. Click OK to close the Custom Ciphers section.
6. If you make changes to the Custom Cipher Group, then you might have to edit the SSL Profile, remove the Custom Cipher Group, and rebind it.

SSL vServers – Bind Certificate, Bind Cipher Group, Disable SSLv3, Enable STS

If you enabled the Default SSL Profiles feature, you can either leave the vServer configured with the Default SSL Profile; or you can change the vServer to use a Custom SSL Profile.

If you don’t use the Default SSL Profiles feature, then you’ll need to manually configure ciphers and SSL settings on every SSL vServer.

Do the following on every SSL vServer:

When creating an SSL Virtual Server (e.g. SSL Load Balancing vServer), on the left, in the Certificates section, click where it says No Server Certificate.
1. Click where it says Click to select.
2. Click the radio button next to a certificate ,and click Select.
3. Click Bind.
```
bind ssl vserver MyvServer -certkeyName MyCert
```
You can bind a Custom SSL Profile:
1. Find the SSL Profile section on the left, and click the pencil icon.
  1. If you don’t see the SSL Profile section on the left, then add the SSL Profile section from the Advanced Settings column on the right.
2. Select a Custom SSL Profile, and click OK.
If default SSL Profiles are not enabled:
1. On the left, in the SSL Parameters section, click the pencil icon.
2. Uncheck the box next to SSLv3.
3. Make sure TLSv12 is checked.
4. TLSv13 is an option in NetScaler 12.1 build 49 and higher. If you enable this, then make sure your cipher group includes TLS 1.3 ciphers.
5. You can optionally uncheck TLSv1 and TLSv11.
6. Click OK.
```
set ssl vserver MyvServer -ssl3 DISABLED -tls12 ENABLED
```
  - To log SSL Protocol usage, see Netscaler SSL Protocol’s Used (SSLv3, TLS1.0, etc) at Citrix Discussions.
7. If you didn’t bind an SSL Profile, scroll down to the SSL Ciphers section, and click the pencil icon.
8. Click Remove All, and click OK. You must click OK before binding the custom cipher group. In other words, you will need to click OK at least twice during the procedure.
9. Click the pencil icon again.
10. Change the selection to Cipher Groups.
11. Select your custom cipher group. It’s probably at the bottom of the list. If you enabled TLS 1.3, then make sure your cipher group includes TLS 1.3 ciphers. Then click OK.
```
unbind ssl vserver MyvServer -cipherName ALL
bind ssl vserver MyvServer -cipherName ssllabs-smw-q2-2018
```
SSL Virtual Servers created on newer versions of NetScaler will automatically have ECC Curves bound to them. However, if this appliance was upgraded from an older version, then the ECC Curves might not be bound. If you are not using SSL Profile, then on the right, in the Advanced Settings column, click ECC Curve.
1. On the left, in the ECC Curve section, click where it says No ECC Curve.
2. Click where it says Click to select.
3. Click the radio button next to ALL, and click Select.
4. Click Bind.
```
bind ssl vserver MyvServer -eccCurveName ALL
```
If HSTS is not enabled in a bound SSL Profile, you can enable it in SSL Parameters, or you can enable it by binding a Rewrite policy.
To enable HSTS by configuring SSL Parameters:
1. On the left, find the SSL Parameters section, and click the pencil icon. This section is only present if DefaultSSL Profiles are not enabled. Don’t configure this if you bound a Custom SSL Profile.
2. In the right column, check the box next to HSTS.
3. Enter 157680000 in the Max Age box.
4. Note: enabling HSTS in the Default SSL Profile seems to break Native OTP. Enabling HSTS in a Rewrite policyworks fine.
5. Click OK to close SSL Parameters.
If enabling HSTS in an SSL Profile or SSL Parameters causes technical issues, then bind a Rewrite policy instead:
1. If the Policies section doesn’t exist on the left, then add it from the Advanced Settings column on the right.
2. On the left, find the Policies section, and click the plus icon.
3. Change the Choose Policy drop-down to Rewrite.
4. Change the Choose Type drop-down to Response, and click Continue.
5. Click where it says Click to select.
6. Click the radio button next to the insert_STS_header policy, and click Select.
7. Click Bind.
```
bind lb vserver MyvServer -policyName insert_STS_header -priority 100 -gotoPriorityExpression END -type RESPONSE
```

If you experience SSL performance problems on a NetScaler MPX, Citrix CTX207005 Performance Issues with NetScaler MPX SSL recommends creating and binding the following TCP Profile:

add ns tcpProfile tcp_test -WS ENABLED -SACK ENABLED -maxBurst 20 -initialCwnd 8 -bufferSize 4096000 -flavor BIC -dynamicReceiveBuffering DISABLED -sendBuffsize 4096000

SSL Tests

After you’ve created an SSL Virtual Server and configured SSL settings, run the following test:

Go to https://www.ssllabs.com/ssltest/ and check the security settings of the website. Check the box next to Do not show the results on the boards.

SSL Redirect – Methods

There are typically three methods of performing SSL Redirect (http to https) in NetScaler:

Load Balancing Virtual Server Method – enable SSL Redirect directly on the Load Balancing Virtual Server. This is the easiest method.
- This option is not available for Gateway Virtual Servers and Content Switching Virtual Servers.
- There’s nothing in the GUI to indicate that the SSL Virtual Server is also listening on port 80.
Down vServer Method – create a new Load Balancing Virtual Server on Port 80, and configure the Redirect URL for when it is down.
- The Virtual Server must be DOWN for the Redirect to occur. These Virtual Servers are shown as Red instead of Green.
Responder Method – create a new Load Balancing Virtual Server on Port 80, and bind a Responder policy that redirects to https.
- The Responder policy only works if the Virtual Server is UP, which means it is shown as Green.
- Some setup tasks are required – create the AlwaysUP service, and create the Responder Policy. But once setup is complete, it only requires slightly more steps than the Down vServer method.

SSL Redirect – SSL Load Balancing vServer Method

You can configure SSL Redirect directly in an SSL Load Balancing vServer (port 443) instead of creating a separate HTTP (port 80) Load Balancing vServer.

Limitations:

This is only an option for SSL Load Balancing vServers; it’s not configurable in Gateway vServers or Content Switching vServers.
Only one Redirect URL can be specified. Alternatively, the Responder method can handle multiple FQDNs to one VIP (e.g. wildcard certificate) and/or IP address URLs.

To configure an SSL Load Balancing vServer to redirect from HTTP to HTTPS:

Edit the SSL Load Balancing vServer (port 443).
In the Basic Settings section, click the pencil icon.
Click More.
In the Redirect from Port field, enter 80.
In the HTTPS Redirect URL field, enter https://MyFQDN.
Click Continue twice.
When you view the list of Load Balancing Virtual Servers, there’s no indication that it’s listening on port 80.

SSL Redirect – Down vServer Method

If you created an SSL Virtual Server that only listens on SSL 443, then users must enter https:// when navigating to the website. To make it easier for the users, create another load balancing Virtual Server on the same VIP, but listens on HTTP 80, and then redirects the user’s browser to reconnect on SSL 443.

The Down Virtual Server Method is easy, but the Redirect Virtual Server must be down in order for the redirect to take effect. Another option is to use Responder policies to perform the redirect.

To create the down Redirect Virtual Server:

On the left, under Traffic Management > Load Balancing, click Virtual Servers.
On the right, right-click an SSL Virtual Server you’ve already created, and click Add. Doing it this way copies some of the data from the already created Virtual Server.
Or, if you are redirecting NetScaler Gateway, create a new Load Balancing vServer with the same VIP as the Gateway.
Change the name of the Virtual Server to indicate that this new Virtual Server is an SSL Redirect.
Change the Protocol to HTTP on Port 80.
The IP Address should already be filled in. It must match the original SSL Virtual Server (or Gateway vServer). Click OK.
Don’t bind any services. This vServer must intentionally be marked down so the redirect will take effect. Click Continue.
On the right, in the Advanced Settings column, click Protection.
On the left, in the Protection section, in the Redirect URL field, enter the full URL including https://. For example: https://storefront.corp.com/Citrix/StoreWeb.
Click OK to close the Protection section.
Click Done.
When you view the SSL redirect Virtual Server in the list, it will have a state of DOWN. That’s expected. The Port 80 Virtual Server must be DOWN for this redirect method to work.

SSL Redirect – Responder Method

The Down Virtual Server Method is easy, but the Redirect Virtual Server must be down in order for the redirect to take effect. Another option is to use Responder policies to perform the redirect. This method requires the Redirect Virtual Server to be UP.

Responder Method Setup Tasks

Create a dummy Load Balancing service. This dummy service can be bound to multiple Redirect Virtual Servers.
1. Go to Traffic Management > Load Balancing > Services.
2. On the right, click Add.
3. Name the service AlwaysUp or similar.
4. Enter a fake IP address. Try not to use any IP address owned by the Citrix ADC to avoid being able to access the ADC management web page.
5. Click the More link.
6. This dummy service must always be UP, so uncheck the box next to Health Monitoring.
7. Click OK, and then click Done to close the Load Balancing Service.
```
add server 1.1.1.1 1.1.1.1
add service AlwaysUp 1.1.1.1 HTTP 80 -healthMonitor NO
```
Create the Responder Action:
1. On the left, expand AppExpert, and click Responder.
2. If Responder feature is not enabled, right-click Responder, and click Enable Feature.
```
enable ns feature RESPONDER
```
3. Under Responder, click Actions.
4. On the right, click Add.
5. Give the action a name.
6. Change the Type to Redirect. If you leave this set to Respond With then it won’t work.
7. Enter an expression. The following expression redirects to https on the same URL the user entered in the browser. Or you can create a Responder Action with a more specific Target. Click Create.
```
"https://" + HTTP.REQ.HOSTNAME.HTTP_URL_SAFE + HTTP.REQ.URL.PATH_AND_QUERY.HTTP_URL_SAFE
```
```
add responder action http_to_ssl_redirect_responderact redirect "\"https://\" + HTTP.REQ.HOSTNAME.HTTP_URL_SAFE + HTTP.REQ.URL.PATH_AND_QUERY.HTTP_URL_SAFE" -responseStatusCode 302
```
Create the Responder Policy:
1. On the left, under Responder, click Policies.
2. On the right, click Add.
3. Give the policy a name.
4. Select the previously created Responder action.
5. For the expression, enter the following. Then click Create.
```
HTTP.REQ.IS_VALID
```
```
add responder policy http_to_ssl_redirect_responderpol HTTP.REQ.IS_VALID http_to_ssl_redirect_responderact
```

Enable Redirect using Responder Policy

Create a Load Balancing Virtual Server with Protocol HTTP, and Port 80. The VIP should match an existing SSL Virtual Server or NetScaler Gateway Virtual Server.
Bind the AlwaysUp service.
1. In the Services and Service Groups section, click where it says No Load Balancing Virtual Server Service Binding.
2. Click where it says Click to select.
3. Check the box next to AlwaysUp, and click Select.
4. Click Bind.
5. Click Continue to close Services and Service Groups.
Bind the Responder Policy:
1. On the right, in the Advanced Settings column, click Policies.
2. On the left, scroll down to the Policies section, and click the plus icon in the top right of the Policies box.
3. Change the Choose Policy drop-down to Responder. Click Continue.
4. Click where it says Click to select.
5. Click the radio button next to the redirect Responder policy, and click Select.
6. Click Bind.
7. Then click Done to close the Load Balancing Virtual Server.
```
add lb vserver MyvServer-HTTP-SSLRedirect HTTP 10.2.2.201 80

bind lb vserver storefront.corp.com-HTTP-SSLRedirect AlwaysUp

bind lb vserver storefront.corp.com-HTTP-SSLRedirect -policyName http_to_ssl_redirect_responderpol -priority 100 -gotoPriorityExpression END -type REQUEST
```
The primary advantage of this method is that the Redirect Virtual Server is UP.