SSL Virtual Servers – NetScaler 11.1

Last Modified: Apr 15, 2017 @ 2:45 pm

This page contains generic SSL instructions for all SSL Virtual Servers including: Load Balancing, NetScaler Gateway, Content Switching, and AAA.

Navigation

ūüí° = Recently Updated

Cipher Group

References:

To create a custom secure cipher group:

  1. Ryan Butler has a PowerShell script at Github that can automate NetScaler SSL configuration to get an A+.
  2. The easiest way to create a cipher group is from the CLI. See Citrix Blogs¬†Scoring an A+ at SSLlabs.com with Citrix NetScaler ‚Äď 2016 update¬†for cipher group CLI commands.
  3. The last cipher is only needed for Windows XP machines. It doesn’t actually require SSL3. If you don’t need to support Windows XP, then skip that command.
    add ssl cipher custom-ssllabs-cipher
    bind ssl cipher custom-ssllabs-cipher -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
    bind ssl cipher custom-ssllabs-cipher -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
    bind ssl cipher custom-ssllabs-cipher -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384
    bind ssl cipher custom-ssllabs-cipher -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256
    bind ssl cipher custom-ssllabs-cipher -cipherName TLS1-ECDHE-RSA-AES256-SHA
    bind ssl cipher custom-ssllabs-cipher -cipherName TLS1-ECDHE-RSA-AES128-SHA
    bind ssl cipher custom-ssllabs-cipher -cipherName TLS1.2-DHE-RSA-AES256-GCM-SHA384
    bind ssl cipher custom-ssllabs-cipher -cipherName TLS1.2-DHE-RSA-AES128-GCM-SHA256
    bind ssl cipher custom-ssllabs-cipher -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA
    bind ssl cipher custom-ssllabs-cipher -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA
    bind ssl cipher custom-ssllabs-cipher -cipherName TLS1-AES-256-CBC-SHA
    bind ssl cipher custom-ssllabs-cipher -cipherName TLS1-AES-128-CBC-SHA
    bind ssl cipher custom-ssllabs-cipher -cipherName SSL3-DES-CBC3-SHA
  4. Or you can create the cipher group using the GUI. Go to Traffic Management > SSL > Cipher Groups.
  5. On the right, click Add.
  6. Name it Modern or similar.
  7. In the middle, click Add.
  8. Use the search box to find a particular cipher.
  9. Check the box next to one of the results and click the arrow to move it to the right. See Citrix Blogs¬†Scoring an A+ at SSLlabs.com with Citrix NetScaler ‚Äď 2016 update¬†for recommended ciphers. The recommended ciphers vary based on the hardware platform and support for older clients.
  10. Use the up and down arrows to order the ciphers. NetScaler prefers the ciphers on top of the list, so the ciphers at the top of the list should be the most secure ciphers.
  11. Click Create when done.

Strict Transport Security Rewrite Policy

To get an A+ at SSLLabs.com, you need to insert the Strict-Transport-Security HTTP header in the responses. NetScaler Rewrite Policy can do this.

  1. Go to AppExpert > Rewrite, right-click Rewrite, and click Enable Feature.
  2. Go to AppExpert > Rewrite > Actions.
  3. On the right, click Add.
  4. Name the action insert_STS_header or similar.
  5. The Type should be INSERT_HTTP_HEADER.
  6. The Header Name should be Strict-Transport-Security.
  7. The Expression should be the following:
    "max-age=157680000"

  8. Click Create.
  9. On the left, go to AppExpert > Rewrite > Policies.
  10. On the right, click Add.
  11. Name it insert_STS_header or similar.
  12. Select the previously created Action.
  13. In the Expression box, enter HTTP.REQ.IS_VALID.
  14. Click Create.
  15. Now you can bind this Rewrite Response policy to HTTP-based SSL vServers.
  16. When editing an SSL vServer, if the¬†Policies¬†section doesn’t exist on the left, then add it from the¬†Advanced Settings column on the right.
  17. In the Policies section on the left, click the plus icon.
  18. Select Rewrite > Response and click Continue.
  19. Then select the STS Rewrite Policy and click Bind.
enable ns feature rewrite

add rewrite action insert_STS_header insert_http_header Strict-Transport-Security "\"max-age=157680000\""

add rewrite policy insert_STS_header true insert_STS_header

bind lb vserver MyvServer -policyName insert_STS_header -priority 100 -gotoPriorityExpression END -type RESPONSE

Default SSL Profile

You can use SSL Profiles to package several SSL settings together and apply the settings package (Profile) to SSL vServers and SSL Services. These settings include: disable SSLv3, bind ciphers, bind ECC curves, etc.

There are¬†default SSL Profiles, and there are¬†custom SSL Profiles. The default¬†SSL Profiles are disabled by default.¬†Once the¬†default SSL Profiles are enabled, the¬†default¬†setttings apply to all SSL vServers and all SSL Services, unless you bind a¬†custom SSL Profile. Also, once¬†default is enabled, it’s not possible to disable it.

If you enable the¬†default SSL Profiles, then it’s not possible to configure SNI for backend (services and service groups).

To enable the Default SSL profiles:

  1. Make sure you are connected to the appliance using http and not https.
  2. Go to Traffic Management > SSL.
  3. On the right, in the right column, click Change advanced SSL settings.
  4. Near the bottom, check the box next to Enable Default Profile. Note: this will change SSL settings on all SSL Virtual Servers to match the default SSL profile. You might want to do this during a maintenance window. Click OK when done.
  5. If you go back into Advanced SSL Settings, notice that the Default Profile is enabled and there’s no way to disable it.
  6. To change the default SSL profile, on the left, go to System > Profiles.
  7. On the right, switch to the SSL Profile tab.
  8. Click the ellipsis next to the frontend or backend default profile and click Edit. Frontend = client-side connections to SSL vServers. Backend = server-side connections (SSL Services and Service Groups).
  9. Or you can create a new custom SSL profile.
  10. Notice that SSLv3 is disabled by default.
  11. If you do any SSL Offload (SSL on the client side, HTTP on the server side) then you’ll need to edit the¬†Basic Settings section and enable¬†SSL Redirect. Or you can create a new SSL Profile with this option enabled. It’s near the bottom of the section. With this option enabled,¬†any 301/302 redirects from the server with HTTP locations are rewritten to HTTPS locations. You might need this option for StoreFront load balancing if doing SSL Offload.
  12. Scroll down to the SSL Ciphers section and click the pencil icon.
  13. Click Remove All and click OK. You must click OK before binding the custom cipher group.
  14. Click the pencil icon again.
  15. Click Add.
  16. Scroll down and select your custom cipher group. Then click the arrow to move it to the right. Then click OK.
  17. Click OK when you see the No usable ciphers message. Then click Done to close the SSL Profile.
  18. If you edit one of your SSL Virtual Servers (e.g. Load Balancing vServer), there’s an SSL Profile section indicating that the default profile is being used. You can change the binding to a different SSL Profile.
  19. SSL Profiles do not include forcing Strict Transport Security. You’ll still need to create the STS Rewrite Policy and bind it to every SSL vServer as detailed in the next section.

Bind Certificate, Bind Cipher Group, Disable SSLv3, Enable STS

Whether you use SSL Profiles or not, you need to bind certificates and STS Rewrite Policy to every SSL vServer.

If you enabled¬†the Default SSL Profiles feature, you can either leave it set to the Default SSL Profile; or you can change it to a Custom SSL Profile. Or you can bind an SSL Profile without enabling the Default SSL Profiles. If you don’t use the SSL Profiles feature, then you’ll need to manually configure ciphers and SSL settings on every SSL vServer.

Do the following on every SSL vServer:

  1. When creating an SSL Virtual Server (e.g. SSL Load Balancing vServer), on the left, in the Certificates section, click where it says No Server Certificate.
  2. Click where it says Click to select.
  3. Select a certificate and click Select.
  4. Click Bind.

    bind ssl vserver MyvServer -certkeyName MyCert
  5. If you want to bind a custom SSL Profile, if Default SSL Profile is enabled, in the SSL Profile section on the left, click the pencil icon.
  6. If the SSL Profile section isn’t on the left, then on the right, in the¬†Advanced Settings section, click¬†SSL Profile
  7. Select your custom SSL Profile and click OK.
  8. If you didn’t bind an SSL Profile, on the left, in the SSL Parameters section, click the pencil icon.
  9. Uncheck the box next to SSLv3. Make sure TLSv11 and TLSv12 are enabled. Click OK.

    set ssl vserver MyvServer -ssl3 DISABLED -tls11 ENABLED -tls12 ENABLED
  10. If you didn’t bind an SSL Profile, scroll down to the¬†SSL Ciphers section and click the pencil icon.
  11. Click Remove All and click OK. You must click OK before binding the custom cipher group.
  12. Click the pencil icon again.
  13. Click Add.
  14. Scroll down and select your custom cipher group. Then click the arrow to move it to the right. Then click OK.
  15. Click OK when you see the No usable ciphers message.

    unbind ssl vserver MyvServer -cipherName ALL
    bind ssl vserver MyvServer -cipherName Modern
  16. SSL Virtual Servers created on newer versions of NetScaler will automatically have ECC Curves bound to them. However, if this appliance was upgraded from an older version then the ECC Curves might not be bound. If you are not using SSL Profile, then on the right, in the Advanced Settings section, click ECC Curve.
  17. On the left, in the ECC Curve section, click where it says No ECC Curve.
  18. Click to select.
  19. Choose ALL and click Select.
  20. Click Bind.

    bind ssl vserver MyvServer -eccCurveName ALL
  21. If the¬†Policies¬†section doesn’t exist on the left, then add it from the¬†Advanced Settings column on the right.
  22. In the Policies section on the left, click the plus icon.
  23. Select Rewrite > Response and click Continue.
  24. Select the STS Rewrite Policy and click Bind.

    bind lb vserver MyvServer -policyName insert_STS_header -priority 100 -gotoPriorityExpression END -type RESPONSE

If you experience SSL performance problems on a NetScaler MPX, Citrix¬†CTX207005¬†Performance Issues with NetScaler MPX SSL recommends creating and binding the following TCP Profile:¬† ūüí°

add ns tcpProfile tcp_test -WS ENABLED -SACK ENABLED -maxBurst 20 -initialCwnd 8 -bufferSize 4096000 -flavor BIC -dynamicReceiveBuffering DISABLED -sendBuffsize 4096000

SSL Tests

After you’ve created an SSL Virtual Server, run the following tests:

SSL Redirect – SSL Load Balancing vServer Method

New in NetScaler 11.1, you can configure SSL Redirect directly in an SSL Load Balancing vServer (port 443) instead of creating a separate HTTP (port 80) Load Balancing vServer.

Limitations:

  • This is only an option for SSL Load Balancing vServers; it’s not configurable in Gateway vServers or Content Switching vServers.
  • Only one Redirect URL can be specified. Alternatively, the Responder method¬†can handle multiple FQDNs to one VIP (e.g. wildcard certificate) and/or¬†IP address URLs.

To configure an SSL Load Balancing vServer to redirect from HTTP to HTTPS:

  1. Edit the SSL Load Balancing vServer (port 443).
  2. In the Basic Settings section, click the pencil icon.
  3. Click More.
  4. In the Redirect from Port field, enter 80.
  5. In the HTTPS Redirect URL field, enter https://MyFQDN. Click Continue twice.

SSL Redirect – Down vServer Method

If you created an SSL Virtual Server that only listens on SSL 443, then users must enter https:// when navigating to the website. To make it easier for the users, create another load balancing Virtual Server on the same VIP but listens on HTTP 80 and then redirects the user’s browser to reconnect on SSL 443.

The Down Virtual Server Method is easy, but the Redirect Virtual Server must be down in order for the redirect to take effect. Another option is to use Responder policies to perform the redirect.

To create the down Redirect Virtual Server:

  1. On the left, under Traffic Management > Load Balancing, click Virtual Servers.

  2. On the right, find an SSL Virtual Server you’ve already created, click the ellipsis next to it, and click Add. Doing it this way copies some of the data from the already created Virtual Server.
  3. Or if you are redirecting NetScaler Gateway, create a new Load Balancing vServer with the same VIP as the Gateway.
  4. Change the name to indicate that this new Virtual Server is an SSL Redirect.
  5. Change the Protocol to HTTP on Port 80.
  6. The IP Address should already be filled in. It must match the original SSL Virtual Server (or Gateway vServer). Click OK.
  7. Don’t select any services. This vServer must intentionally be marked down so the redirect will take effect. Click Continue.
  8. On the right, in the Advanced Settings column, click Protection.
  9. In the Redirect URL field, enter the full URL including https://. For example: https://storefront.corp.com/Citrix/StoreWeb. Click OK.

  10. Click Done.
  11. When you view the SSL redirect Virtual Server in the list, it will have a state of DOWN. That’s OK. The Port 80 Virtual Server must be DOWN for this redirect method to work.

SSL Redirect – Responder Method

The Down Virtual Server Method is easy, but the Redirect Virtual Server must be down in order for the redirect to take effect. Another option is to use Responder policies to perform the redirect. This method requires the Redirect Virtual Server to be UP.

  1. Create a dummy Load Balancing service. This dummy service can be bound to multiple Redirect Virtual Servers. Go to Traffic Management > Load Balancing > Services.
  2. On the right, click Add.
  3. Name it AlwaysUp or similar.
  4. Use a loopback IP address (e.g. 127.0.0.1). After the service is created, it changes to a NetScaler-owned IP.
  5. Click the More link.
  6. This dummy service must always be UP so uncheck the box next to Health Monitoring. Click OK and then click Done.

    add server 127.0.0.1 127.0.0.1
    add service AlwaysUp 127.0.0.1 HTTP 80 -healthMonitor NO
  7. On the left, expand AppExpert and click Responder.
  8. If Responder is not enabled, right-click Responder and click Enable Feature.

    enable ns feature RESPONDER
  9. Under Responder, click Actions.
  10. On the right, click Add.
  11. Give the action a name.
  12. Change the Type to Redirect.
  13. Enter an expression. The following expression can be used by multiple Redirect Virtual Servers since it redirects to https on the same URL the user entered in the browser. Or you can create a Responder Action with a more specific Target. Click Create.
    "https://" + HTTP.REQ.HOSTNAME.HTTP_URL_SAFE + HTTP.REQ.URL.PATH_AND_QUERY.HTTP_URL_SAFE

    add responder action http_to_ssl_redirect_responderact redirect "\"https://\" + HTTP.REQ.HOSTNAME.HTTP_URL_SAFE + HTTP.REQ.URL.PATH_AND_QUERY.HTTP_URL_SAFE" -responseStatusCode 302
  14. On the left, under Responder, click Policies.
  15. On the right, click Add.
  16. Give the policy a name.
  17. Select the previously created Responder action.
  18. For the expression, enter the following. Then click Create.
    HTTP.REQ.IS_VALID

    add responder policy http_to_ssl_redirect_responderpol HTTP.REQ.IS_VALID http_to_ssl_redirect_responderact
  19. Create a Load Balancing Virtual Server with Protocol HTTP and Port 80. The VIP should match an existing SSL Virtual Server or NetScaler Gateway Virtual Server.

  20. Bind the AlwaysUp service and click Bind. Then click Continue.

  21. On the right, in the Advanced Settings column, click Policies.
  22. Click the plus icon in the top right of the Policies box.
  23. Select Responder and click Continue.
  24. Select the http_to_https Redirect Responder policy and click Bind. Then click Done.

    add lb vserver MyvServer-HTTP-SSLRedirect HTTP 10.2.2.201 80
    
    bind lb vserver storefront.corp.com-HTTP-SSLRedirect AlwaysUp
    
    bind lb vserver storefront.corp.com-HTTP-SSLRedirect -policyName http_to_ssl_redirect_responderpol -priority 100 -gotoPriorityExpression END -type REQUEST
  25. The primary advantage of this method is that the Redirect Virtual Server is UP.

22 thoughts on “SSL Virtual Servers – NetScaler 11.1”

  1. Hey Carl
    Port 80 has to be open from the outside in order to do http to https rewrite or vip down method correct? If the port is closed the traffic will never hit netscaler causing it not to redirect correct

  2. Hi Carl,

    We are trying out the SSL Redirect – Down vServer Method but On the right, in the Advanced Settings column, we don’t have “Protection” option.

    Netscaler VPX version is 11.1 – 55.10nc

    Any ideas where this versions settings might be?

  3. Hi Carl,
    I am trying to make a new SSL Profile (Release NS11.1 54.14.nc) and no matter what combination of selections I chose I always get “Invalid argument [strictsigdigestcheck]” as an error.

    Any ideas?

    Cheers

    1. Depends on if you’re doing it using SSL Profiles or not. “show ssl vServer MyvServerName”. You must specify the name of the vServer.

  4. Hi carl,
    I need your advice.
    I created rdp virtual server for simple reverse proxy to terminal servers.
    there is anyway to create special header that will help us to limit the access.

    we created application that open seamless app using rds and we don’t want to let people directly connect to ns-rdp-virtual server. but only through the application.

    1. You created a LB vServer with RDP protocol? And now you want NetScaler to insert a header? What header?

  5. hi,
    i need to setup ssl/https virtual server which will utlize internal backend servers on TCP-9080. Is that even possible to do on netscaler?
    I have done it on F5, but cannot find anyway on netscaler?
    when i try to bind those services to the virtual server, then it says vserver type and service mismatch.
    thanks
    Lovleen

    1. Is the back-end HTTP or HTTPS? If so, create the services (or service group) using the HTTP or SSL protocol but port 9080.

      If the back-end is not HTTP (i.e. some other TCP protocol), then the front-end Virtual Server should be SSL_TCP protocol instead of SSL. SSL protocol assumes HTTP. Whereas SSL_TCP does not assume HTTP, and still allows you to bind a certificate to the vServer.

  6. Dear Carl

    I use the responder Method for https redirection:

    “”””””
    Name it AlwaysUp or similar.
    Use a loopback IP address (e.g. 127.0.0.1). After the service is created, it changes to a NetScaler-owned IP.
    “””””””””””””

    Since this was created, i could access the Netscaler via http anymore.
    Also failover in the HA Setup happend since the cluster could not communicate with his fellow node anymore.

    After the failover, access to the management console was possible again but only with https.

    Any thoughts on this?

    cheers David

  7. Any thoughs how to do this properly on Unified Gateway? We had a working configuration previously so that we created a dummy Content Switching server with same IP and bound the responder policy there and it worked perfectly.

    However, now on the 11.1 build 49.16 it just broke all the sudden.

    There seems to be tons of options on LB level but when you move to Unified GW (manually created, I never use the wizards for prod environment), we seem to run in to trouble.

      1. Hi Carl,

        I tried that too but doesn’t seem to work. I also need the “Responder” method since I’m doing a bit tricky reverse proxy thing with the UGW. Let me break it down for you:

        1. Normal portal use, users browse to portal.customer.com (with http-> https redir) and get to the logon page. After logon they get to the clientless portal from where they can pick either web links (cVPN, reverse proxy, etc…)
        2. Users can access “extranet.customer.com” (with http-> https redir), but if they haven’t logged in they’re redirected to the UGW “portal.customer.com” to authenticate and after this they get SSO’d to the destination.

        I’ve tried to bind the Responder policy to a LB on port 80, but I’m still getting the same RST package from NetScaler.

        … we have firmware 48.10 in our lab and this seems to be working fine there, so I’m now downgrading the customer test environment to see whether that has the desired functionality.

        1. Uhm… My Responder sent HTTP/302 to the client and that seemed to be the problem (for now), since when I changed the code to HTTP/301 it started working.

          I’m suspecting this might be somehow related to the customer firewall environment? Could it be that some firewalls would start resetting traffic after several 301s from the backend?

          You seem to be using the status code 302 too in your code snippet? I think I’ve read from somewhere that it should be the correct one for this use case. Do you have any references?

  8. Hi Carl,
    Not sure where to post this – but here we go ūüôā
    Today I had to create a vServer where the backend server only accepted SSL
    Client > SSL to Netscaler > SSL to Backend server
    All was up and green and the client connected to NetScaler just fine.
    After the client connected to the NetScaler nothing happened and looking a packet capture on the backend server I only saw the monitor connectivity.

    I had bound the Backend server with a monitor using a Service Group which then was bound to the vServer.

    When I deleted the ServiceGroup and created a Service instead all worked fine..
    Can you explain this?
    Why would a service group not work but a service will?

    Regards
    Jeppe

    1. Sounds like i firewall issue! If you use a service-group, then monitoring traffic is sourced by the SNIP. With the service only its sourced by the NSIP.

Leave a Reply