Product Documentation
ADC
Current Release 13.1 13.0 12.1
View PDF

Secure load balanced traffic by using SSL

September 14, 2021
反对tributed by:
S C

The Citrix ADC SSL offload feature transparently improves the performance of websites that conduct SSL transactions. By offloading CPU-intensive SSL encryption and decryption tasks from the local web server to the appliance, SSL offloading ensures secure delivery of web applications without the performance penalty incurred when the server processes the SSL data. Once the SSL traffic is decrypted, it can be processed by all standard services. The SSL protocol works seamlessly with various types of HTTP and TCP data and provides a secure channel for transactions using such data.

To configure SSL, you must first enable it. Then, you configure HTTP or TCP services and an SSL virtual server on the appliance, and bind the services to the virtual server. You must also add a certificate-key pair and bind it to the SSL virtual server. If you use Outlook Web Access servers, you must create an action to enable SSL support and a policy to apply the action. An SSL virtual server intercepts incoming encrypted traffic and decrypts it by using a negotiated algorithm. The SSL virtual server then forwards the decrypted data to the other entities on the appliance for appropriate processing.

For detailed information about SSL offloading, seeSSL offload and acceleration.

SSL configuration task sequence

To configure SSL, you must first enable it. Then, you must create an SSL virtual server and HTTP or TCP services on the Citrix ADC appliance. Finally, you must bind a valid SSL certificate and the configured services to the SSL virtual server.

An SSL virtual server intercepts incoming encrypted traffic and decrypts it using a negotiated algorithm. The SSL virtual server then forwards the decrypted data to the other entities on the Citrix ADC appliance for appropriate processing.

The following flow chart shows the sequence of tasks for configuring a basic SSL offload setup.

Figure 1. Sequence of Tasks to Configure SSL Offloading

SSL flow chart

Enable SSL offload

First enable the SSL feature. You can configure SSL-based entities on the appliance without enabling the SSL feature, but they will not work until you enable SSL.

Enable SSL by using the CLI

在命令提示符下,键入以下命令to enable SSL Offload and verify the configuration:

- enable ns feature SSL - show ns feature

Example:

> enable ns feature ssl Done > show ns feature Feature Acronym Status ------- ------- ------ 1) Web Logging WL ON 2) SurgeProtection SP OFF 3) Load Balancing LB ON . . . 9) SSL Offloading SSL ON 10) Global Server Load Balancing GSLB ON . . Done >

Enable SSL by using the GUI

Follow these steps:

  1. In the navigation pane, expandSystem, and then clickSettings.
  2. In the details pane, underModes and Features, clickChange basic features.
  3. Select theSSL Offloadingcheck box, and then clickOK.
  4. In theEnable/Disable Feature(s)?message box, clickYes.

Create HTTP services

A service on the appliance represents an application on a server. Once configured, services are in the disabled state until the appliance can reach the server on the network and monitor its status. This topic covers the steps to create an HTTP service.

Note: For TCP traffic, perform the following procedures, but create TCP services instead of HTTP services.

Add an HTTP service by using the CLI

在命令提示符下,键入以下命令to add an HTTP service and verify the configuration:

- add service  ( | )   - show service

Example:

> add service SVC_HTTP1 10.102.29.18 HTTP 80 Done > show service SVC_HTTP1 SVC_HTTP1 (10.102.29.18:80) - HTTP State: UP Last state change was at Wed Jul 15 06:13:05 2009 Time since last state change: 0 days, 00:00:15.350 Server Name: 10.102.29.18 Server ID : 0 Monitor Threshold : 0 Max Conn: 0 Max Req: 0 Max Bandwidth: 0 kbits Use Source IP: NO Client Keepalive(CKA): NO Access Down Service: NO TCP Buffering(TCPB): NO HTTP Compression(CMP): YES Idle timeout: Client: 180 sec Server: 360 sec Client IP: DISABLED Cacheable: NO SC: OFF SP: OFF Down state flush: ENABLED 1) Monitor Name: tcp-default State: UP Weight: 1 Probes: 4 Failed [Total: 0 Current: 0] Last response: Success - TCP syn+ack received. Response Time: N/A Done

Add an HTTP service by using the GUI

Follow these steps:

  1. Navigate toTraffic Management > SSL Offload > Services.
  2. In the details pane, clickAdd.
  3. In theCreate Servicedialog box, type the name of the service, IP address, and port (for example, SVC_HTTP1, 10.102.29.18, and 80).
  4. In theProtocollist, select the type of the service (for example, HTTP).
  5. ClickCreate, and then clickClose. The HTTP service you configured appears in the Services page.
  6. Verify that the parameters you configured are correctly configured by selecting the service and viewing the Details section at the bottom of the pane.

Add an SSL based virtual server

In a basic SSL offloading setup, the SSL virtual server intercepts encrypted traffic, decrypts it, and sends the clear text messages to the services that are bound to the virtual server. Offloading CPU-intensive SSL processing to the appliance allows the back-end servers to process a greater number of requests.

Add an SSL-based virtual server by using the CLI

在命令提示符下,键入以下命令to create an SSL-based virtual server and verify the configuration:

- add lb vserver   [ ] - show lb vserver

Caution:To ensure secure connections, you must bind a valid SSL certificate to the SSL-based virtual server before you enable it.

Example:

> add lb vserver vserver-SSL-1 SSL 10.102.29.50 443 Done > show lb vserver vserver-SSL-1 vserver-SSL-1 (10.102.29.50:443) - SSL Type: ADDRESS State: DOWN[Certkey not bound] Last state change was at Tue Jun 16 06:33:08 2009 (+176 ms) Time since last state change: 0 days, 00:03:44.120 Effective State: DOWN Client Idle Timeout: 180 sec Down state flush: ENABLED Disable Primary Vserver On Down : DISABLED No. of Bound Services : 0 (Total) 0 (Active) Configured Method: LEASTCONNECTION Mode: IP Persistence: NONE Vserver IP and Port insertion: OFF Push: DISABLED Push VServer: Push Multi Clients: NO Push Label Rule: Done

Add an SSL-based virtual server by using the GUI

Follow these steps:

  1. Navigate toTraffic Management > SSL Offload > Virtual Servers.
  2. In the details pane, clickAdd.
  3. In theCreate Virtual Server (SSL Offload)dialog box, type the name of the virtual server, IP address, and port.
  4. In theProtocollist, select the type of the virtual server, for example, SSL.
  5. ClickCreate, and then clickClose.
  6. Verify that the parameters you configured are correctly configured by selecting the virtual server and viewing the Details section at the bottom of the pane. The virtual server is marked as DOWN because a certificate-key pair and services have not been bound to it.

Caution:To ensure secure connections, you must bind a valid SSL certificate to the SSL-based virtual server before you enable it.

Bind services to the SSL virtual server

After decrypting the incoming data, the SSL virtual server forwards the data to the services that you have bound to the virtual server.

Data transfer between the appliance and the servers can be encrypted or in clear text. If the data transfer between the appliance and the servers is encrypted, the entire transaction is secure from end to end. For more information about configuring the system for end-to-end security, seeSSL offload and acceleration.

Bind a service to a virtual server by using the CLI

在命令提示符下,键入以下命令to bind a service to the SSL virtual server and verify the configuration:

- bind lb vserver   - show lb vserver

Example:

>绑定磅vserver vserver-SSL-1 SVC_HTTP1 >年代完成how lb vserver vserver-SSL-1 vserver-SSL-1 (10.102.29.50:443) - SSL Type: ADDRESS State: DOWN[Certkey not bound] Last state change was at Tue Jun 16 06:33:08 2009 (+174 ms) Time since last state change: 0 days, 00:31:53.70 Effective State: DOWN Client Idle Timeout: 180 sec Down state flush: ENABLED Disable Primary Vserver On Down : DISABLED No. of Bound Services : 1 (Total) 0 (Active) Configured Method: LEASTCONNECTION Mode: IP Persistence: NONE Vserver IP and Port insertion: OFF Push: DISABLED Push VServer: Push Multi Clients: NO Push Label Rule: 1) SVC_HTTP1 (10.102.29.18: 80) - HTTP State: DOWN Weight: 1 Done

Bind a service to a virtual server by using the GUI

  1. Navigate toTraffic Management > SSL Offload > Virtual Servers.
  2. In the details pane, select a virtual server, and then clickOpen.
  3. On theServicestab, in theActivecolumn, select the check boxes next to the services that you want to bind to the selected virtual server.
  4. ClickOK.
  5. Verify that the Number of Bound Services counter in the Details section at the bottom of the pane is incremented by the number of services that you bound to the virtual server.

Add a certificate-key pair

An SSL certificate is an integral element of the SSL Key-Exchange and encryption/decryption process. The certificate is used during an SSL handshake to establish the identity of the SSL server. You can use a valid, existing SSL certificate that you have on the Citrix ADC appliance, or you can create your own SSL certificate. The appliance supports RSA certificates of up to 4096 bits.

ECDSA证书只有下面的曲线are supported:

  • prime256v1 (P_256 on the ADC)
  • secp384r1 (P_384 on the ADC)
  • secp521r1 (P_521 on the ADC; supported on VPX only)
  • secp224r1 (P_224 on the ADC; supported on VPX only)

Note:Citrix recommends that you use a valid SSL certificate that has been issued by a trusted certificate authority. Invalid certificates and self-created certificates are not compatible with all SSL clients.

Before a certificate can be used for SSL processing, you must pair it with its corresponding key. The certificate key pair is then bound to the virtual server and used for SSL processing.

Add a certificate key pair by using the CLI

Note:For information about creating an ECDSA certificate-key pair, seeCreate an ECDSA certificate-key pair.

在命令提示符下,键入以下命令to create a certificate key pair and verify the configuration:

- add ssl certKey  -cert  [-key ] - show sslcertkey

Example:

> add ssl certKey CertKey-SSL-1 -cert ns-root.cert -key ns-root.key Done > show sslcertkey CertKey-SSL-1 Name: CertKey-SSL-1 Status: Valid, Days to expiration:4811 Version: 3 Serial Number: 00 Signature Algorithm: md5WithRSAEncryption Issuer: C=US,ST=California,L=San Jose,O=Citrix ANG,OU=NS Internal,CN=de fault Validity Not Before: Oct 6 06:52:07 2006 GMT Not After : Aug 17 21:26:47 2022 GMT Subject: C=US,ST=California,L=San Jose,O=Citrix ANG,OU=NS Internal,CN=d efault Public Key Algorithm: rsaEncryption Public Key size: 1024 Done

Add a certificate key pair by using the GUI

Follow these steps:

  1. Navigate toTraffic Management > SSL > Certificates.
  2. In the details pane, clickAdd.
  3. In theInstall Certificatedialog box, in the Certificate-Key Pair Name text box, type a name for the certificate key pair you want to add, for example, Certkey-SSL-1.
  4. UnderDetails, in Certificate File Name, clickBrowse (Appliance)to locate the certificate. Both the certificate and the key are stored in the /nsconfig/ssl/ folder on the appliance. To use a certificate present on the local system, select Local.
  5. Select the certificate you want to use, and then clickSelect.
  6. In Private Key File Name, clickBrowse (Appliance)to locate the private key file. To use a private key present on the local system, select Local.
  7. Select the key you want to use and clickSelect. To encrypt the key used in the certificate key pair, type the password to be used for encryption in the Password text box.
  8. ClickInstall.
  9. Double-click the certificate key pair and, in the Certificate Details window, verify that the parameters have been configured correctly and saved.

Bind an SSL certificate key pair to the virtual server

After you pairing an SSL certificate with its corresponding key, bind the certificate-key pair to the SSL virtual server so that it can be used for SSL processing. Secure sessions require establishing a connection between the client computer and an SSL-based virtual server on the appliance. SSL processing is then carried out on the incoming traffic at the virtual server. Therefore, before enabling the SSL virtual server on the appliance, you need to bind a valid SSL certificate to the SSL virtual server.

Bind an SSL certificate key pair to a virtual server by using the CLI

在命令提示符下,键入以下命令to bind an SSL certificate key pair to a virtual server and verify the configuration:

- bind ssl vserver  -certkeyName  - show ssl vserver

Example:

> bind ssl vserver Vserver-SSL-1 -certkeyName CertKey-SSL-1 Done > show ssl vserver Vserver-SSL-1 Advanced SSL configuration for VServer Vserver-SSL-1: DH: DISABLED Ephemeral RSA: ENABLED Refresh Count: 0 Session Reuse: ENABLED Timeout: 120 seconds Cipher Redirect: ENABLED SSLv2 Redirect: ENABLED ClearText Port: 0 Client Auth: DISABLED SSL Redirect: DISABLED Non FIPS Ciphers: DISABLED SSLv2: DISABLED SSLv3: ENABLED TLSv1: ENABLED 1) CertKey Name: CertKey-SSL-1 Server Certificate 1) Cipher Name: DEFAULT Description: Predefined Cipher Alias Done

Bind an SSL certificate key pair to a virtual server by using the GUI

Follow these steps:

  1. Navigate toTraffic Management > SSL Offload > Virtual Servers.
  2. Select the virtual server to which you want to bind the certificate key pair, for example, Vserver-SSL-1, and click Open.
  3. In the反对figure Virtual Server (SSL Offload)dialog box, on theSSL Settingstab, underAvailable, select the certificate key pair that you want to bind to the virtual server. Then clickAdd.
  4. ClickOK.
  5. Verify that the certificate key pair that you selected appears in the Configured area.

反对figure support for Outlook web access

If you use Outlook Web Access (OWA) servers on your Citrix ADC appliance, you must configure the appliance to insert a special header field, FRONT-END-HTTPS: ON, in HTTP requests directed to the OWA servers, so that the servers generate URL links ashttps://instead ofhttp://.

Note:You can enable OWA support for HTTP-based SSL virtual servers and services only. You cannot apply it for TCP-based SSL virtual servers and services.

To configure OWA support, do the following:

  • Create an SSL action to enable OWA support.
  • Create an SSL policy.
  • Bind the policy to the SSL virtual server.

Create an SSL action to enable OWA support

Before you can enable Outlook Web Access (OWA) support, you must create an SSL action. SSL actions are bound to SSL policies and triggered when incoming data matches the rule specified by the policy.

Create an SSL action to enable OWA support by using the CLI

在命令提示符下,键入以下命令to create an SSL action to enable OWA support and verify the configuration:

- add ssl action  -OWASupport ENABLED - show SSL action

Example:

> add ssl action Action-SSL-OWA -OWASupport enabled Done > show SSL action Action-SSL-OWA Name: Action-SSL-OWA Data Insertion Action: OWA Support: ENABLED Done

Create an SSL action to enable OWA support by using the GUI

Follow these steps:

  1. Navigate toTraffic Management > SSL > Policies.
  2. In the details pane, on theActionstab, clickAdd.
  3. In theCreate SSL Actiondialog box, in the Name text box, type Action-SSL-OWA.
  4. Under Outlook Web Access, selectEnabled.
  5. ClickCreate, and then clickClose.
  6. Verify that Action-SSL-OWA appears in theSSL Actionspage.

Create SSL policies

SSL policies are created by using the policy infrastructure. Each SSL policy has an SSL action bound to it, and the action is carried out when incoming traffic matches the rule that has been configured in the policy.

Create an SSL policy by using the CLI

在命令提示符下,键入以下命令to configure an SSL policy and verify the configuration:

- add ssl policy  -rule  -reqAction  - show ssl policy

Example:

> add ssl policy Policy-SSL-1 -rule ns_true -reqaction Action-SSL-OWA Done > show ssl policy Policy-SSL-1 Name: Policy-SSL-1 Rule: ns_true Action: Action-SSL-OWA Hits: 0 Policy is bound to following entities 1) PRIORITY : 0 Done

Create an SSL policy by using the GUI

Follow these steps:

  1. Navigate toTraffic Management > SSL > Policies.
  2. In the details pane, clickAdd.
  3. In theCreate SSL Policydialog box, in the Name text box, type the name of the SSL Policy (for example, Policy-SSL-1).
  4. InRequestAction, select the configured SSL action that you want to associate with this policy (for example, Action-SSL-OWA). The ns_true general expression applies the policy to all successful SSL handshake traffic. However, to filter specific responses, you can create policies with a higher level of detail. For more information about configuring granular policy expressions, seeSSL actions and policies.
  5. InNamed Expressions, choose the built-in general expression ns_true and clickAdd Expression. The expression ns_true now appears in the Expression text box.
  6. ClickCreate, and then clickClose.
  7. Verify that the policy is correctly configured by selecting the policy and viewing the Details section at the bottom of the pane.

Bind the SSL policy to the SSL virtual server

After you configure an SSL policy for Outlook Web Access, bind the policy to a virtual server that will intercept incoming Outlook traffic. If the incoming data matches any of the rules configured in the SSL policy, the policy is triggered and the action associated with it is carried out.

Bind an SSL policy to an SSL virtual server by using the CLI

在命令提示符下,键入以下命令to bind an SSL policy to an SSL virtual server and verify the configuration:

- bind ssl vserver  -policyName  - show ssl vserver

Example:

> bind ssl vserver Vserver-SSL-1 -policyName Policy-SSL-1 Done > show ssl vserver Vserver-SSL-1 Advanced SSL configuration for VServer Vserver-SSL-1: DH: DISABLED Ephemeral RSA: ENABLED Refresh Count: 0 Session Reuse: ENABLED Timeout: 120 seconds Cipher Redirect: ENABLED SSLv2 Redirect: ENABLED ClearText Port: 0 Client Auth: DISABLED SSL Redirect: DISABLED Non FIPS Ciphers: DISABLED SSLv2: DISABLED SSLv3: ENABLED TLSv1: ENABLED 1) CertKey Name: CertKey-SSL-1 Server Certificate 1) Policy Name: Policy-SSL-1 Priority: 0 1) Cipher Name: DEFAULT Description: Predefined Cipher Alias Done

Bind an SSL policy to an SSL virtual server by using the GUI

Follow these steps:

  1. Navigate toTraffic Management > SSL Offload > Virtual Servers.
  2. In the details pane, select the virtual server (for example, Vserver-SSL-1), and then clickOpen.
  3. In the反对figure Virtual Server (SSL Offload)dialog box, clickInsert Policy, and then select the policy that you want to bind to the SSL virtual server. Optionally, you can double-click the Priority field and type a new priority level.
  4. ClickOK.
Secure load balanced traffic by using SSL
September 14, 2021
反对tributed by:
S C
September 14, 2021
反对tributed by:
S C

In this article

Site feedback | Privacy and legal terms | Cookie preferences | 反对sent settings | docs.cloud.com
© 1999-Cloud Software Group, Inc. All rights reserved.