Configure DTLS VPN virtual server using SSL VPN virtual server
You can configure a DTLS VPN virtual server for a Citrix ADC appliance using the same IP and port number of a configured SSL VPN virtual server. Configuring DTLS VPN virtual servers enables you to bind the advanced DTLS ciphers and certificates to the DTLS traffic for an enhanced security. From release 13.0 build 47.x, the DTLS 1.2 protocol is supported in addition to the earlier supported DTLS 1.0 protocol.
Important:
By default, the DTLS functionality is set to ON for the existing SSL VPN virtual server. Disable the functionality for the server before creating the DTLS VPN virtual server.
SNI for DTLS gateway virtual server is supported in Citrix Gateway release 13.0 build 64.x and later.
Starting from Citrix ADC release 13.0 build 79.x, the
helloverifyrequestparameter is enabled by default. Enabling thehelloverifyrequestparameter on the DTLS profile helps mitigate the risk of an attacker or bots overwhelming the network throughput, potentially leading to outbound bandwidth exhaustion. That is, it helps mitigate the DTLS DDoS amplification attack. For details about thehelloverifyrequestparameter, seeDTLS profile.When handling the UDP traffic, the Citrix ADC appliance memory consumption increases if the back-end servers push a lot of traffic. As a result, the Citrix ADC appliance cannot push this traffic to the client because of the TCP MUX connection on the client side. In such cases, Citrix recommends that you use the DTLS protocol.
Points to note
DTLS VPN virtual server on a Citrix ADC appliance can be configured from release 13.0 build 58.x.
Before you configure a DTLS VPN virtual server on a Citrix ADC appliance, you must have configured an SSL VPN virtual server on the appliance.
The DTLS VPN virtual server uses the IP address and the port number of the configured SSL VPN virtual server.
If the DTLS handshake fails, the connection falls back to TLS.
To use DTLS only, you can disable TLS by binding only the DTLS ciphers to the DTLS traffic.
DTLS multiplexing is not supported when TCP traffic is tunneled over VPN.
Configure DTLS VPN virtual server by using the GUI
- 在Configuration tab, navigate toCitrix Gateway > Virtual Servers.
- 在Citrix Gateway Virtual Serverspage, select the existing SSL VPN virtual server and clickEdit.
在VPN Virtual Serverpage, click the edit icon and clear theDTLScheck box and clickOK.
Click the back arrow icon on theVPN Virtual Serverto navigate to theCitrix Gateway Virtual Serverspage and clickAdd.
UnderBasic Settings, enter the values for the following fields and ClickOK.
- Name - A name for the DTLS VPN virtual server
- Protocol - Select DTLS from the drop-down list menu
- IP Address – Enter SSL VPN virtual server IP address
- Port – Enter SSL VPN virtual server port number.
在VPN Virtual Serverspage, click the arrow underCertificatesto select the required cert key. You can use an existing SSL cert key or create one. Click the radio button next to the desired certificate key and clickSelect.
ClickBindon theServer Certificate Bindingpage.
To use DTLS 1.2, enable the same. On theVPN Virtual Serverspage, click edit icon under SSL Parameters. EnableDTLS 1.2check box and clickOK.
Note:
- Server name indication (SNI) is supported for VPN virtual server of type DTLS.
DTLS VPN virtual server configuration is now complete.
Configure DTLS VPN virtual server by using the CLI
At the command prompt, type the following sets of commands:
set vpn vserver -dtls off add vpn vserver dtls bind ssl vservser -certkeyName DTLS 1.0 works as usual, to use DTLS 1.2, type the following command:
set ssl vserver < dtls vpnvserver name > -dtls12 ENABLED Example
set vpn vserver vpnvserver -dtls off add vpn vserver vpnvserver_dtls dtls 10.108.45.220 443 bind ssl vservser vpnvserver_dtls -certkeyName sslcertkey set ssl vserver vpnvserver_dtls -dtls12 ENABLED To enable SNI for the DTLS type VPN virtual server, type the following command:
set ssl vserver @ [-SNIEnable ( ENABLED | DISABLED ) bind ssl vservser -certkeyName <-SNICert> Example
set ssl vserver _XD_10.106.40.225_443_DTLS -sniEnable eNABLED bind ssl vserver _XD_10.106.40.225_443_DTLS -certkeyName "Insight/*.insight.net.cer_CERT_" -snICert The list of supported DTLS VPN virtual server parameters are as follows:
Ipaddress- Port
- State
- Double hop
downstateflush- Comment
AppflowlogIcmpvsrresponse
Configure a DTLS virtual server using the XA/XD wizard
在XA/XD setup wizard, selectStoreFrontand clickContinue.
在Citrix Gateway Settingspage, enableConfigure a DTLS Listener for this VPN VServercheck box and clickContinue.
Notice that the DTLS Listener is now configured. ClickChoose Fileto select server certificate and clickContinue.
Specify certificate file and Key file name and clickContinue.
Under the StoreFront section, provide the values for the required parameters as follows and clickContinue.
Provide the values for the required parameters as follows and clickTest Connection.
Ensure that the server is reachable, provide Time out value and Server Logon Name Attribute, and clickContinue.
Finally, clickDoneto complete the configuration.
Limitations
- DTLS 1.2 is supported on Windows clients only.
- SSL政策和SSLprofile are not supported on a DTLS VPN virtual server. Also, the binding of VPN virtual server policy is not supported.
- The following features are not supported for the DTLS VPN virtual server.
- Unified Gateway with content switching virtual server
- PCOIP
- UDP MUX
- Other UDP traffic
- UDP audio
- The
stat vpn vservercommand related to the statistics for the DTLS VPN virtual server is not supported. - HSM keys are not supported with the DTLS virtual server.