SSL Offload

CNS 205-2I: Implementing Citrix NetScaler 10.5 for App and

Desktop Solutions

Overview
After completing this module, you will be able to:
Identify requirements to secure communications with SSL certificates.
Create and upload an SSL certificate.
Bind an SSL certificate key.
Identify common virtual SSL server deployments.
Configure advanced SSL options.
Create appropriate servers and virtual servers.

2015 Citrix Systems

SSL
SSL is a protocol used to secure HTTP, TCP, and other types of traffic; it is the
industry standard security technology for establishing encrypted links between a
web server and a browser.
SSL/TLS encrypts the data using a certificate that has unique credentials
identifying the owner and authenticating the identity of the certificate owner.

2015 Citrix Systems

SSL Session Process

2015 Citrix Systems

Features and Benefits

The NetScaler SSL implementation supports a full feature set and is interoperable
with all common SSL clients.

2015 Citrix Systems

Offload Performance
The NetScaler system supports extremely high-performance SSL encryption and
session creation.
For example, the NetScaler MPX platforms support:
As many as 75 Gbps of bulk encryption
As many as 560,000 SSL handshakes every second (2048 bit keys)

2015 Citrix Systems

Digital Certificates
Generating certificate requests and applying certificates can sometimes be a
complex process depending on the CA that you use. Citrix recommends to always
use a common CA such as Thawte, VeriSign, or Network Solutions. These CAs
are usually trusted by all Windows and Macintosh operating systems and
therefore require less administrative overhead.

2015 Citrix Systems

SSL Administration
The certificate formats that NetScaler supports are PEM and DER. An SSL
certificate and key can be obtained for use on the NetScaler system using one of
the following methods:
Request certificate and key from a certificate authority (CA).
Use an existing SSL certificate and key.
Generate a new SSL certificate and key using the self-signing tools on the NetScaler system.

2015 Citrix Systems

SSL Keys
Keys are generated in the following situations:
Before generating and submitting a certificate signing request to a certificate
authority
Before generating a self-signed certificate for testing purposes

2015 Citrix Systems

Certificate Signing Request

Generate a CSR on the NetScaler system by specifying:
Key filename
Format
Encryption type

Command-line syntax:
create ssl <certReq> [-keyFile |-fipsKeyName ] [-keyform (DER | PEM)
{-PEMPassPhrase}] -countryName -stateName -organizationName

10

2015 Citrix Systems

SSL Certificates
The NetScaler certificate tools can be used to generate the following certificate
types:
Root CA certificates
Intermediate certificates
Server certificates
Client certificates

11

2015 Citrix Systems

Certificate Generation
Generate a certificate on the NetScaler system by specifying the certificate format,
certificate type, CA certificate file format, CA key file name, CA key file format, CA
key encryption, and CA serial number file.

12

2015 Citrix Systems

Certificate Key Pairs

For SSL processing to occur, a certificate key entity must be bound to the virtual
server. A certificate key entity is an integral element of the SSL encryption and
decryption process, which is used during the SSL handshake to determine the
cipher that will be used for SSL processing and also to establish the identity of the
SSL server.

13

2015 Citrix Systems

Certificate Updates
You may need to update or replace a certificate on the NetScaler system for a
variety of reasons:
Certificate is expired or expiring soon
Default certificate needs to be replaced with trusted CA certificate
File name or private key have changed or have been compromised

14

2015 Citrix Systems

SSL Offload Overview

15

2015 Citrix Systems

Configuring SSL Offload

16

2015 Citrix Systems

SSL Virtual Servers

An SSL virtual server:
Accepts encrypted traffic
Decrypts encrypted traffic
Sends the unencrypted data to the services that are bound to the virtual server
This process offloads SSL processing to the NetScaler system and allows the back-end servers to
process a greater number of requests

17

2015 Citrix Systems

SSL Termination Points

To properly configure the NetScaler system, you must determine the SSL
termination points
SSL transactions may be terminated on one of the following devices:
Citrix NetScaler
Web server
NetScaler Gateway

18

2015 Citrix Systems

Deployment Scenarios
The SSL requirements for a particular environment depend on how SSL will be
deployed
The following scenarios are the most common:
Front-end SSL with back-end HTTP
Front-end SSL with back-end SSL
Front-end TCP over SSL with back-end TCP

19

2015 Citrix Systems

Front-end SSL with Back-end HTTP Requirements

20

2015 Citrix Systems

Front-end SSL with Back-end SSL Requirements

21

2015 Citrix Systems

Front-end SSL_TCP with Back-end TCP Requirements

22

2015 Citrix Systems

SSL Bridge
The SSL_BRIDGE functionality allows all secure traffic to be bridged
transparently and directly to the back-end web server
The system does not terminate or offload this traffic
The web server must handle all SSL-related processing

23

2015 Citrix Systems

SSL Bridge Requirements

24

2015 Citrix Systems

Citrix Recommendations for SSL

Citrix recommendations for SSL include the following:
Offload SSL processing to an application delivery controller such as NetScaler
Be aware of which components in your infrastructure are processing SSL
Report on all certificate use and expiration dates
Document, measure, and report on SSL performance

25

2015 Citrix Systems

WORK BETTER. LIVE BETTER.

26

2015 Citrix Systems