SSL Virtual Servers – NetScaler 12

Last Modified: Aug 23, 2017 @ 11:48 am

This page contains generic SSL instructions for all SSL-based Virtual Servers, including: Load Balancing, NetScaler Gateway, Content Switching, and AAA.

Navigation

💡 = Recently Updated

Cipher Group

References:

To get an A+ at SSL Labs, create a custom secure cipher group:

  1. The easiest way to create a cipher group is from the CLI. See Citrix Blogs Scoring an A+ at SSLlabs.com with Citrix NetScaler – 2016 update for cipher group CLI commands. Putty (SSH) to the NetScaler and paste the following commands.
    add ssl cipher custom-ssllabs-cipher
    bind ssl cipher custom-ssllabs-cipher -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
    bind ssl cipher custom-ssllabs-cipher -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
    bind ssl cipher custom-ssllabs-cipher -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384
    bind ssl cipher custom-ssllabs-cipher -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256
    bind ssl cipher custom-ssllabs-cipher -cipherName TLS1-ECDHE-RSA-AES256-SHA
    bind ssl cipher custom-ssllabs-cipher -cipherName TLS1-ECDHE-RSA-AES128-SHA
    bind ssl cipher custom-ssllabs-cipher -cipherName TLS1.2-DHE-RSA-AES256-GCM-SHA384
    bind ssl cipher custom-ssllabs-cipher -cipherName TLS1.2-DHE-RSA-AES128-GCM-SHA256
    bind ssl cipher custom-ssllabs-cipher -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA
    bind ssl cipher custom-ssllabs-cipher -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA
    bind ssl cipher custom-ssllabs-cipher -cipherName TLS1-AES-256-CBC-SHA
    bind ssl cipher custom-ssllabs-cipher -cipherName TLS1-AES-128-CBC-SHA
  2. Or you can create the cipher group using the GUI.
    1. Go to Traffic Management > SSL > Cipher Groups.

      1. On the right, click Add.
      2. Name it SSL Labs or similar.
      3. In the middle, click Add.
      4. Use the search box to find a particular cipher.
      5. Check the box next to one of the results, and click the arrow to move it to the right. See Citrix Blog Post Scoring an A+ at SSLlabs.com with Citrix NetScaler – 2016 update for recommended ciphers.
      6. Use the up and down arrows to order the ciphers. NetScaler prefers the ciphers on top of the list, so the ciphers at the top of the list should be the most secure ciphers.
    2. Click Create when done.

Strict Transport Security – Rewrite Policy Method

To get an A+ at SSLLabs.com, you need to insert the Strict-Transport-Security HTTP header in the responses. NetScaler Rewrite Policy is one method of doing this. Another method is to enable HSTS in an SSL Profile, or enable it in SSL Parameters on a SSL vServer.

To create a Rewrite Policy that inserts the Strict-Transport-Security HTTP header:

  1. On the left, expand AppExpert, right-click Rewrite, and click Enable Feature.
  2. Create the Rewrite Action:
    1. Go to AppExpert > Rewrite > Actions.
    2. On the right, click Add.
    3. Name the action insert_STS_header or similar.
    4. The Type should be INSERT_HTTP_HEADER.
    5. The Header Name should be Strict-Transport-Security.
    6. The Expression should be the following:
      "max-age=157680000"

    7. Click Create.
  3. Create the Rewrite Policy:
    1. On the left, go to AppExpert > Rewrite > Policies.
    2. On the right, click Add.
    3. Name it insert_STS_header or similar.
    4. Select the previously created Action.
    5. In the Expression box, enter HTTP.REQ.IS_VALID.
    6. Click Create.
  4. Now you can bind this Rewrite Response policy to HTTP-based SSL vServers.
    1. When editing an SSL vServer (Gateway vServer, Load Balancing vServer, etc.), if the Policies section doesn’t exist on the left, then add it from the Advanced Settings column on the right.
    2. On the left, in the Policies section, click the plus icon.
    3. Change the Choose Policy drop-down to Rewrite.
    4. Change the Choose Type drop-down to Response, and click Continue.
    5. Click where it says Click to select.
    6. Click the radio button next to insert_STS_header, and click Select.
    7. Click Bind.
enable ns feature rewrite

add rewrite action insert_STS_header insert_http_header Strict-Transport-Security "\"max-age=157680000\""

add rewrite policy insert_STS_header true insert_STS_header

bind lb vserver MyvServer -policyName insert_STS_header -priority 100 -gotoPriorityExpression END -type RESPONSE

SSL Profiles – Custom and Default

You can use SSL Profiles to package several SSL settings together, and apply the settings package (Profile) to SSL-based Virtual Servers and SSL-based Services. These SSL settings include:

  • Disable SSLv3
  • Bind secure ciphers
  • Bind ECC curves
  • Enable HSTS (Strict Transport Security), etc.

There are default SSL Profiles, and there are custom SSL Profiles. The default SSL Profiles are disabled by default, because they would impact every SSL-based Virtual Server and Service on the appliance. Once default SSL Profiles are enabled, you cannot disable the default SSL Profiles.

  • Some features of custom SSL Profiles require default SSL Profiles to be enabled. For example, you cannot configure ciphers in a custom SSL Profile unless the default SSL Profiles are enabled.

Default SSL Profiles are intended to provide a baseline SSL configuration for all newly created SSL Virtual Servers and SSL Services. You can still create Custom SSL Profiles to override the Default SSL Profiles.

To enable Default SSL profiles

Enabling Default SSL Profiles is irreversible.

  1. Make sure you are connected to the appliance NSIP using http, and not https.
  2. Go to Traffic Management > SSL.
  3. On the right, in the right column, click Change advanced SSL settings.
  4. Near the bottom, check the box next to Enable Default Profile. Note: this will change SSL settings on all SSL Virtual Servers to match the default SSL profile. You might want to do this during a maintenance window.

  5. Click OK to close Change Advanced SSL Settings.
  6. If you go back into Change Advanced SSL Settings, notice that the Default Profile is enabled, and there’s no way to disable it.

To create a custom SSL Profile

  1. On the left, expand System, and click Profiles.
  2. On the right, switch to the SSL Profile tab.

    1. Click Add.
    2. Enter a name.
    3. Change the SSL Profile Type to FrontEnd or BackEnd.
    4. Configure SSL Profile settings as desired (see below for some recommendations).
  3. After the SSL Profile is created, edit any SSL-based Virtual Server.

    1. On the right, in the Advanced Settings column, click SSL Profile to add the section.
    2. On the left, scroll down to the SSL Profile section, and select an SSL Profile. Click OK to close the SSL Profile section.

Recommended SSL Profile Settings

  1. On the left, expand System, and click Profiles.
  2. On the right, switch to the SSL Profile tab.
  3. Either create a new SSL Profile, or edit the default frontend or backend profile. This section focuses on a FrontEnd profile.
    1. Frontend = client-side connections to SSL Virtual Servers.
    2. Backend = server-side connections (SSL Services and Service Groups).
  4. Click the pencil icon in the Basic Settings section.

    1. Scroll all the way down to the Protocol section.
    2. Notice that SSLv3 is already unchecked.
    3. You can optionally uncheck TLSv1 and TLSv11.
    4. To enable Strict Transport Security (HSTS), scroll up a little, and check the box next to HSTS.
    5. Enter 157680000 in the Max Age box.
    6. Note: enabling HSTS in the Default SSL Profile seems to break Native OTP. Enabling HSTS in a Rewrite policy works fine.
    7. If you do any SSL Offload (SSL on the client side, HTTP on the server side), then you’ll need to enable SSL Redirect. It’s above HSTS. With this option enabled, any 301/302 redirects from the server with HTTP Location headers are rewritten to HTTPS Location headers. You might need this option for StoreFront load balancing if doing SSL Offload (port 80 to the StoreFront servers). Note: this setting might be more appropriate in a custom SSL Profile instead of the default SSL Profile.
    8. Click OK when done modifying the Basic Settings section.
  5. Scroll down to the SSL Ciphers section, and click the pencil icon.

    1. Click Remove All, and click OK. You must click OK before binding the custom cipher group.

    2. Click the pencil icon again.
    3. Click Add.
    4. Scroll down, and select your custom cipher group (e.g. SSL Labs). Click the arrow to move it to the right.
    5. Click OK to close the Custom Ciphers section.

SSL vServers – Bind Certificate, Bind Cipher Group, Disable SSLv3, Enable STS

If you enabled the Default SSL Profiles feature, you can either leave the vServer configured with the Default SSL Profile; or you can change the vServer to use a Custom SSL Profile.

If you don’t use the SSL Profiles feature, then you’ll need to manually configure ciphers and SSL settings on every SSL vServer.

Do the following on every SSL vServer:

  1. When creating an SSL Virtual Server (e.g. SSL Load Balancing vServer), on the left, in the Certificates section, click where it says No Server Certificate.

    1. Click where it says Click to select.
    2. Click the radio button next to a certificate ,and click Select.
    3. Click Bind.

      bind ssl vserver MyvServer -certkeyName MyCert
  2. You can bind a Custom SSL Profile:
    1. Find the SSL Profile section on the left, and click the pencil icon.

      1. If you don’t see the SSL Profile section on the left, then add the SSL Profile section from the Advanced Settings column on the right.
    2. Select a Custom SSL Profile, and click OK.
  3. If default SSL Profiles are not enabled:
    1. On the left, in the SSL Parameters section, click the pencil icon.
    2. Uncheck the box next to SSLv3. You can optionally uncheck TLSv1 and TLSv11. Click OK.

      set ssl vserver MyvServer -ssl3 DISABLED -tls12 ENABLED
    3. If you didn’t bind an SSL Profile, scroll down to the SSL Ciphers section, and click the pencil icon.
    4. Click Remove All, and click OK. You must click OK before binding the custom cipher group.
    5. Click the pencil icon again.
    6. Change the selection to Cipher Groups.
    7. Select your custom cipher group. It’s probably at the bottom of the list. Then click OK.

      unbind ssl vserver MyvServer -cipherName ALL
      bind ssl vserver MyvServer -cipherName custom-ssllabs-cipher
  4. SSL Virtual Servers created on newer versions of NetScaler will automatically have ECC Curves bound to them. However, if this appliance was upgraded from an older version, then the ECC Curves might not be bound. If you are not using SSL Profile, then on the right, in the Advanced Settings column, click ECC Curve.

    1. On the left, in the ECC Curve section, click where it says No ECC Curve.
    2. Click where it says Click to select.
    3. Click the radio button next to ALL, and click Select.
    4. Click Bind.

      bind ssl vserver MyvServer -eccCurveName ALL
  5. If HSTS is not enabled in a bound SSL Profile, you can enable it in SSL Parameters, or you can enable it by binding a Rewrite policy.
  6. To enable HSTS by configuring SSL Parameters:
    1. On the left, find the SSL Parameters section, and click the pencil icon. This section is only present if Default SSL Profiles are not enabled. Don’t configure this if you bound a Custom SSL Profile.
    2. In the right column, check the box next to HSTS.
    3. Enter 157680000 in the Max Age box.
    4. Note: enabling HSTS in the Default SSL Profile seems to break Native OTP. Enabling HSTS in a Rewrite policy works fine.
    5. Click OK to close SSL Parameters.
  7. If enabling HSTS in an SSL Profile or SSL Parameters causes technical issues, then bind a Rewrite policy instead:
    1. If the Policies section doesn’t exist on the left, then add it from the Advanced Settings column on the right.
    2. On the left, find the Policies section, and click the plus icon.
    3. Change the Choose Policy drop-down to Rewrite.
    4. Change the Choose Type drop-down to Response, and click Continue.
    5. Click where it says Click to select.
    6. Click the radio button next to the insert_STS_header policy, and click Select.
    7. Click Bind.

      bind lb vserver MyvServer -policyName insert_STS_header -priority 100 -gotoPriorityExpression END -type RESPONSE

If you experience SSL performance problems on a NetScaler MPX, Citrix CTX207005 Performance Issues with NetScaler MPX SSL recommends creating and binding the following TCP Profile:

add ns tcpProfile tcp_test -WS ENABLED -SACK ENABLED -maxBurst 20 -initialCwnd 8 -bufferSize 4096000 -flavor BIC -dynamicReceiveBuffering DISABLED -sendBuffsize 4096000

SSL Tests

After you’ve created an SSL Virtual Server and configured SSL settings, run the following test:

SSL Redirect – Methods

There are typically three methods of performing SSL Redirect (http to https) in NetScaler:

  • Load Balancing Virtual Server Method – enable SSL Redirect directly on the Load Balancing Virtual Server. This is the easiest method.
    • This option is not available for Gateway Virtual Servers and Content Switching Virtual Servers.
    • There’s nothing in the GUI to indicate that the SSL Virtual Server is also listening on port 80.
  • Down vServer Method – create a new Load Balancing Virtual Server on Port 80, and configure the Redirect URL for when it is down.
    • The Virtual Server must be DOWN for the Redirect to occur. These Virtual Servers are shown as Red instead of Green.
  • Responder Method – create a new Load Balancing Virtual Server on Port 80, and bind a Responder policy that redirects to https.
    • The Responder policy only works if the Virtual Server is UP, which means it is shown as Green.
    • Some setup tasks are required – create the AlwaysUP service, and create the Responder Policy. But once setup is complete, it only requires slightly more steps than the Down vServer method.

SSL Redirect – SSL Load Balancing vServer Method

You can configure SSL Redirect directly in an SSL Load Balancing vServer (port 443) instead of creating a separate HTTP (port 80) Load Balancing vServer.

Limitations:

  • This is only an option for SSL Load Balancing vServers; it’s not configurable in Gateway vServers or Content Switching vServers.
  • Only one Redirect URL can be specified. Alternatively, the Responder method can handle multiple FQDNs to one VIP (e.g. wildcard certificate) and/or IP address URLs.

To configure an SSL Load Balancing vServer to redirect from HTTP to HTTPS:

  1. Edit the SSL Load Balancing vServer (port 443).
  2. In the Basic Settings section, click the pencil icon.
  3. Click More.
  4. In the Redirect from Port field, enter 80.
  5. In the HTTPS Redirect URL field, enter https://MyFQDN.
  6. Click Continue twice.
  7. When you view the list of Load Balancing Virtual Servers, there’s no indication that it’s listening on port 80.

SSL Redirect – Down vServer Method

If you created an SSL Virtual Server that only listens on SSL 443, then users must enter https:// when navigating to the website. To make it easier for the users, create another load balancing Virtual Server on the same VIP, but listens on HTTP 80, and then redirects the user’s browser to reconnect on SSL 443.

The Down Virtual Server Method is easy, but the Redirect Virtual Server must be down in order for the redirect to take effect. Another option is to use Responder policies to perform the redirect.

To create the down Redirect Virtual Server:

  1. On the left, under Traffic Management > Load Balancing, click Virtual Servers.
  2. On the right, right-click an SSL Virtual Server you’ve already created, and click Add. Doing it this way copies some of the data from the already created Virtual Server.
  3. Or, if you are redirecting NetScaler Gateway, create a new Load Balancing vServer with the same VIP as the Gateway.
  4. Change the name of the Virtual Server to indicate that this new Virtual Server is an SSL Redirect.
  5. Change the Protocol to HTTP on Port 80.
  6. The IP Address should already be filled in. It must match the original SSL Virtual Server (or Gateway vServer). Click OK.
  7. Don’t bind any services. This vServer must intentionally be marked down so the redirect will take effect. Click Continue.
  8. On the right, in the Advanced Settings column, click Protection.
  9. On the left, in the Protection section, in the Redirect URL field, enter the full URL including https://. For example: https://storefront.corp.com/Citrix/StoreWeb.
  10. Click OK to close the Protection section.
  11. Click Done.
  12. When you view the SSL redirect Virtual Server in the list, it will have a state of DOWN. That’s expected. The Port 80 Virtual Server must be DOWN for this redirect method to work.

SSL Redirect – Responder Method

The Down Virtual Server Method is easy, but the Redirect Virtual Server must be down in order for the redirect to take effect. Another option is to use Responder policies to perform the redirect. This method requires the Redirect Virtual Server to be UP.

Responder Method Setup Tasks

  1. Create a dummy Load Balancing service. This dummy service can be bound to multiple Redirect Virtual Servers.
    1. Go to Traffic Management > Load Balancing > Services.
    2. On the right, click Add.
    3. Name the service AlwaysUp or similar.
    4. Enter a loopback IP address (e.g. 127.0.0.1). After the service is created, the service IP changes to a NetScaler-owned IP.
    5. Click the More link.
    6. This dummy service must always be UP, so uncheck the box next to Health Monitoring.
    7. Click OK, and then click Done to close the Load Balancing Service.

      add server 127.0.0.1 127.0.0.1
      add service AlwaysUp 127.0.0.1 HTTP 80 -healthMonitor NO
  2. Create the Responder Action:
    1. On the left, expand AppExpert, and click Responder.
    2. If Responder feature is not enabled, right-click Responder, and click Enable Feature.

      enable ns feature RESPONDER
    3. Under Responder, click Actions.
    4. On the right, click Add.
    5. Give the action a name.
    6. Change the Type to Redirect. If you leave this set to Respond With then it won’t work.
    7. Enter an expression. The following expression redirects to https on the same URL the user entered in the browser. Or you can create a Responder Action with a more specific Target. Click Create.
      "https://" + HTTP.REQ.HOSTNAME.HTTP_URL_SAFE + HTTP.REQ.URL.PATH_AND_QUERY.HTTP_URL_SAFE

      add responder action http_to_ssl_redirect_responderact redirect "\"https://\" + HTTP.REQ.HOSTNAME.HTTP_URL_SAFE + HTTP.REQ.URL.PATH_AND_QUERY.HTTP_URL_SAFE" -responseStatusCode 302
  3. Create the Responder Policy:
    1. On the left, under Responder, click Policies.
    2. On the right, click Add.
    3. Give the policy a name.
    4. Select the previously created Responder action.
    5. For the expression, enter the following. Then click Create.
      HTTP.REQ.IS_VALID

      add responder policy http_to_ssl_redirect_responderpol HTTP.REQ.IS_VALID http_to_ssl_redirect_responderact

Enable Redirect using Responder Policy

  1. Create a Load Balancing Virtual Server with Protocol HTTP, and Port 80. The VIP should match an existing SSL Virtual Server or NetScaler Gateway Virtual Server.

  2. Bind the AlwaysUp service.
    1. In the Services and Service Groups section, click where it says No Load Balancing Virtual Server Service Binding.
    2. Click where it says Click to select.
    3. Check the box next to AlwaysUp, and click Select.
    4. Click Bind.
    5. Click Continue to close Services and Service Groups.
  3. Bind the Responder Policy:
    1. On the right, in the Advanced Settings column, click Policies.
    2. On the left, scroll down to the Policies section, and click the plus icon in the top right of the Policies box.
    3. Change the Choose Policy drop-down to Responder. Click Continue.
    4. Click where it says Click to select.
    5. Click the radio button next to the redirect Responder policy, and click Select.
    6. Click Bind.
    7. Then click Done to close the Load Balancing Virtual Server.

      add lb vserver MyvServer-HTTP-SSLRedirect HTTP 10.2.2.201 80
      
      bind lb vserver storefront.corp.com-HTTP-SSLRedirect AlwaysUp
      
      bind lb vserver storefront.corp.com-HTTP-SSLRedirect -policyName http_to_ssl_redirect_responderpol -priority 100 -gotoPriorityExpression END -type REQUEST
  4. The primary advantage of this method is that the Redirect Virtual Server is UP.

Related Pages

3 thoughts on “SSL Virtual Servers – NetScaler 12”

  1. I’m trying to do this redirect and I can’t get it to work. When I get to the Enable Redirect using Responder Policy section, I try to add the http vserver and it won’t let me…it says “resource already exists”. I’m entering a different name but the same VIP. Any ideas?

      1. Yes, port 80. No I don’t have any other vservers with the same VIP on 80. I got it to work though…I had to use the VIP of the Netscaler Gateway vServer.

Leave a Reply