SSL policy binding

You can bind SSL policies globally or to an SSL type virtual server only. Globally bound policies are evaluated after all policies bound to services, virtual servers, or other Citrix ADC bind points are evaluated. If the incoming data matches any of the rules configured in the SSL policy, the policy is triggered, and the action associated with it is carried out.

When binding an SSL policy to a virtual server, you must select from one of the following bind points:

• REQUEST (Default bind point. Policy evaluation is done in the HTTP layer after the SSL handshake is completed.)

• INTERCEPT_REQ (This option applies to a Citrix Secure Web Gateway setup. For more information, seeSSL policy infrastructure for SSL interception).

• CLIENTHELLO_REQ

Similarly, when unbinding a policy from a virtual server, you must specify the bind point.

If you specify CLIENTHELLO_REQ as the bind point, the policy is evaluated when a client hello message is received. The allowed actions are RESET, FORWARD, andcaCertGrpName. The reset action terminates the connection. The forward action forwards the request to a load balancing virtual server for processing. ThecaCertGrpNameaction selectively picks CAs based on SNI for client authentication. For more information about SSL actions, seeSSL built-in actions and user-defined actions.

Note:The action caCertGrpName is not supported with the TLS 1.3 protocol.

Bind an SSL policy globally by using the CLI

At the command prompt, type the following command to bind a global SSL policy and verify the configuration:

bind ssl global - policyName  [- priority ] show ssl global 

Example:

bind ssl global -policyName Policy-SSL-2 -priority 90 Done sh ssl global 1) Name: Policy-SSL-2 Priority: 90 2) Name: Policy-SSL-1 Priority: 100 Done 

Bind an SSL policy globally by using the GUI

1. Navigate toTraffic Management>SSL>Policies.
2. In the details pane, clickGlobal Bindings.
3. In theBind/Unbind SSL Policies to Globaldialog box, clickInsert Policy.
4. In thePolicy Namelist, select a policy.
5. Optionally, drag the entry to a new position in the policy bank to automatically update the priority level.
6. ClickOK. A message appears in the status bar, stating that the policy has been bound successfully.

Bind or unbind an SSL policy to a virtual server by using the CLI

At the command prompt, type the following command to bind an SSL policy to a virtual server and verify the configuration:

bind ssl vserver  -policyName  -priority  -type  unbind ssl vserver  -policyName  -priority  -type  

Example:

bind ssl vserver v1 -policyName pol1 -priority 1 -type CLIENTHELLO_REQ 

unbind ssl vserver v1 -policyName pol1 -priority 1 -type CLIENTHELLO_REQ 

show ssl vserver vs-server Advanced SSL configuration for VServer vs-server: DH: DISABLED Ephemeral RSA: ENABLED Refresh Count: 1000 Session Reuse: ENABLED Timeout: 120 seconds Cipher Redirect: DISABLED SSLv2 Redirect: DISABLED ClearText Port: 80 Client Auth: DISABLED SSL Redirect: ENABLED SSL-REDIRECT Port Rewrite: ENABLED Non FIPS Ciphers: DISABLED SSLv2: DISABLED SSLv3: ENABLED TLSv1: ENABLED 1) Policy Name: ssl-policy-1 Priority: 10 1) Cipher Name: DEFAULT Description: Predefined Cipher Alias Done 

Bind an SSL policy to a virtual server by using the GUI

1. Navigate toTraffic Management>Load Balancing>Virtual Servers, and open an SSL virtual server.
2. InAdvanced Settings, selectSSL Policy. Click in theSSL policysection to bind a policy to the virtual server.
3. In thePolicy Bindingpage, select an existing policy or add a new policy.
4. Specify priority and type (bind point) for the policy.
5. SelectBind.
6. SelectDone.