SSL Insight

SSL Insight provides visibility into secure web transactions (HTTPS) and allows IT administrators to monitor all the secure web applications being served by the Citrix ADC by providing integrated and real-time and historic monitoring of secure web transactions. With this visibility the administrator can assess following:

• Determine Configuration Change Impact on Customer Usage．The administrator can understand the impact on clients for making a configuration change like turning off SSLv3 or removing a cipher like RC4-MD5. This can be done by assessing the historic transaction data on this protocol and cipher.
• Quantify client performance．第十一条nistrator can understand the impact on Application Response Time based on the SSL ciphers/protocol used or the certificates negotiated.
• Application Security．Assess if any of the applications have transactions running on low security protocols, ciphers, or weak key strength.

When SSL Analytics is enabled on an ADC instance, SSL statistics are recorded and logged for every SSL transaction. The statistics show the details of the SSL flow. Also, every successful connection is logged and displayed by Citrix ADM.

SSL Insight provides the following critical information, which is displayed by Citrix ADM Analytics:

• SSL Protocol version negotiated
• Cipher negotiated, and the cipher strength
• Signature Hash algorithm of the certificate used
• Certificate Type & Size
• SSL Front end and Back end errors

Note

For successful SSL connections, SSL AppFlow logging happens at the end of every transaction.

Prerequisites

• The Citrix ADC instance on which you intend to configure SSL Insight must be running Citrix ADC software release 11.1 51.21 and higher. Run the following commands on the ADC instance running 11.1 51.21 to enableLogstreamas a transport type for SSL Insight.

1. 启用ns模式ulfd

2. add ulfd server

   For ADC instances running version 12.0 and above, selectLogstreamas the transport type while enabling AppFlow from Citrix ADM.

• The Citrix ADM version and build must be equal to or higher than the Citrix ADC version and build. For example, if you have installed Citrix ADM 11.1 build 61.7, then ensure you have installed Citrix ADC 11.1 build 60.14 or earlier.

Configure SSL Insight

SSL Insight Metrics are included in Web Insight reports if you enable the following elements:

• Enable AppFlow for Web Insight on each ADC instance.
• Enable ULFD mode on each ADC instance.
• Enable required AppFlow parameters on each ADC instance.

Enable the insight

Note

You can enable the AppFlow feature either from Citrix ADM or from each ADC instance.

Enable the AppFlow feature from Citrix ADM

1. Navigate toInfrastructure > Instances, and select the ADC instance on which you want to enable analytics.

2. From theSelect Actionlist, selectConfigure Analytics．

3. On theConfigure Analytics on Virtual Serverspage:

   1. Select the virtual servers that you want to enable Web Insight and clickEnable Analytics

      TheEnable Analyticswindow is displayed.

   2. SelectWeb Insight

   3. UnderAdvanced Options, selectLogstreamorIPFIXas Transport Mode

      Note

      For Citrix ADC 12.0 or earlier,IPFIXis the default option for Transport Mode. For Citrix ADC 12.0 or later, you can either selectLogstreamorIPFIXas Transport Mode.

      For more information aboutIPFIXandLogstream, seeLogstream overview．

   4. The Expression is true by default

   5. ClickOK

      

Note

You cannot enable data collection on a virtual server if the operational state of the virtual server is other than UP.

Enable the AppFlow feature by using the ADC GUI

In an ADC instance’s GUI, navigate toConfiguration>System>Settings, clickConfigure Advanced Features, and selectAppFlow．

Enable ULFD mode

After you enable ULFD mode on the ADC instances on which the virtual servers are configured, the ULFD server streams the analytics data from the ADC instances to Citrix ADM.

Enable SSL Insight parameters

On each ADC instance, you have to enable some HTTP parameters to display SSL Insight records in Citrix ADM.

Enable SSL Insight parameters from the ADC configuration utility

1. Navigate toConfiguration>System>AppFlow, and clickChange AppFlowSettings．

2. Select the following check boxes:HTTP Domain,HTTP Host,HTTP Method,HTTP URL,HTTP User-Agent,HTTP Content-Type．

3. ClickOK．

   

View the SSL Insight metrics

SSL Insight metrics in Citrix ADM provide a detailed view of the performance of the SSL transactions served by the ADC instances. You can view the SSL Insight metrics at the client, server, or application level, and the SSL success and failure transactions’ metrics. With the help of these metrics, you can analyze and optimize your ADC HTTPS settings and SSL-certificate settings, and track performance issues.

Note

When you create a group, you can assign roles to the group, provide application-level access to the group, and assign users to the group. Citrix ADM analytics now supports virtual IP address based authorization. Your users can now see reports for all Insights for only the applications (virtual servers) that they are authorized to. For more information on groups and assigning users to the group, seeConfiguring Groups on Citrix ADM．

Monitor SSL Insight metrics in Citrix ADM

As an administrator, you can view SSL metrics for:

• An application. Navigate to仪表板应用程序>, click an application, and selectWeb Insighttab to view the detailed metrics. For more information, seeApplication Usage Analytics．

• All applications. Navigate toApplications > Web Insightand clickApplicationsand客户tabs to view the SSL metrics.

Use case: Obtain an overview of the SSL transactions

The following use case describes how you can use SSL Insight to assess the usage of various SSL Parameters and improve security measures.

Consider that you have a set of applications that are using SSL transactions (HTTPS) for communication, and you have configured Citrix ADM to monitor the SSL components. You might need to frequently review the applications so that you can focus first on the applications that need the most attention. TheWeb Insightdashboard for an application or all applications provides a summary of following SSL parameters underSSL ErrorsandSSL Usage:

• SSL Certificates

• SSL Protocols

• SSL Cipher

• SSL Key Strength

• SSL Failure – Front end

• SSL Failure – Back end

  

You can click each tab to view details.

Use case: SSL metrics for clients

You can see list of clients (identified by their IP addresses) and the total occurences per client. Navigate toApplications > Web Insightand select the客户tab to view the details underSSL Usage．

Click a metric to view details and under客户, click any client IP address to view the SSL metrics for the selected client.