Product Documentation

Use Case: Making Enterprise Internet Access Compliant and Secure

Jul 27, 2017

The director of network security in a financial organization wants to protect the enterprise network from any external threats coming from the web in the form of malware. To do this, the director needs to gain visibility in to otherwise bypassed encrypted traffic and control access to malicious websites. The director is required to do the following:

  • Intercept and examine all the traffic, including SSL/TLS (encrypted traffic), coming into and going out of the enterprise network.
  • Bypass interception of requests to websites containing sensitive information, such as user financial information or emails.
  • Block access to harmful URLs identified as serving harmful or adult content.
  • Identify end users (employees) in the enterprise who are accessing malicious websites and block internet access for these users or block the harmful URLs.

To achieve all of the above, the director can set up a proxy on all the devices in the organization and point it to the NetScaler Secure Web Gateway (SWG), which acts as a proxy server in the network. The proxy server intercepts all the encrypted and unencrypted traffic passing through the enterprise network. It prompts for user authentication, and associates the traffic with a user. URL categories can be specified to block access to Illegal/Harmful, Adult, and Malware and SPAM websites. 

To achieve the above, configure the following entities:

  • DNS name server to resolve host names.
  • Subnet IP (SNIP) address to establish a connection with the origin servers. The SNIP address should have internet access. 
  • Proxy server in explicit mode to intercept all outbound HTTP and HTTPS traffic.
  • SSL profile to define SSL settings, such as ciphers and parameters, for connections.
  • CA certificate-key pair to sign the server certificate for SSL interception. 
  • SSL policy to define the websites to intercept and to bypass.
  • Authentication virtual server, policy, and action to ensure that only valid users are granted access.
  • Appflow collector to send data to the NetScaler Management and Analytics System (MAS).

Both CLI and GUI procedures are listed for this sample configuration. The following sample values are used. Replace them with valid data for IP addresses, SSL certificate and key, and LDAP parameters.

Name Values used in the sample configuration

NetScaler IP address

192.0.2.5

Subnet IP address

198.51.100.5

LDAP virtual server IP address

192.0.2.116

DNS name server IP address

203.0.113.2

Proxy server IP address

192.0.2.100

MAS IP address

192.0.2.41

CA certificate for SSL interception

ns-swg-ca-certkey (certificate: ns_swg_ca.crt and key: ns_swg_ca.key)

LDAP base DN

CN=Users,DC=CTXNSSFB,DC=COM

LDAP bind DN

CN=Administrator,CN=Users,DC=CTXNSSFB,DC=COM

LDAP bind DN password

zzzzz

Using the Secure Web Gateway Wizard to Configure Interception and Examination of the Traffic to and from the Enterprise Network

Creating a configuration for intercepting and examining encrypted traffic in addition to the other traffic to and from a network requires configuring proxy settings, SSLi settings, user authentication settings, and URL Filtering settings. The following procedures include examples of the values entered. 

To configure SNIP address and DNS name server

In a web browser, type: http://192.0.2.5 

In User Name and Password, type the administrator credentials. The following screen appears.

localized image

Click inside Subnet IP Address section, and enter an IP address.

localized image

Click Done.

Click inside Host Name, DNS IP Address, and Time Zone section, and enter values for these fields.

localized image

Click Done and then click Continue.

To configure the proxy settings

Navigate to Secure Web Gateway > Secure Web Gateway Wizard.

Click Get Started and then click Continue.

In the Proxy Settings dialog box, enter a name for the explicit proxy server.

For Capture Mode, select Explicit.

Enter an IP address and port number.

localized image

Click Continue.

To configure the SSL interception settings

Select Enable SSL Interception. 

localized image

In SSL Profile, click “+” to add a new front-end SSL profile and enable SSL Sessions Interception in this profile.

localized image

Click OK and then click Done.

In Select SSL interception CA Certificate-Key Pair, click “+” to install a CA certificate-key pair for SSL interception.

localized image

Click Install and then click Close.

Add a policy to intercept all the traffic. Click Bind and then click Add.

localized image

Enter a name for the policy and select Advanced. In the Expression editor, enter true.

For Action, select INTERCEPT.

localized image

Click Create and then click Add to add another policy to bypass sensitive information.

Enter a name for the policy and in URL Categories, click Add.

Select the Finance and Email categories and move them to the Configured list.

For Action, select BYPASS.

localized image

Click Create.

Select the two policies created earlier, and click Insert.

localized image

Click Continue.

localized image

To configure the user authentication settings

Select Enable user authentication. In the Authentication Type field, select LDAP.

localized image

Add LDAP server details.

localized image

Click Create.

Click Continue.

To configure URL Filtering settings

Select Enable URL Categorization, and then click Bind.

localized image

Click Add.

localized image

Enter a name for the policy. For Action, select Deny. For URL Categories, select Illegal/Harmful, Adult, and Malware and SPAM, and move them to the Configured list.

localized image

Click Create.

Select the policy and then click Insert.

localized image

Click Continue.

localized image

Click Continue.

Click Enable Analytics.

Enter the IP address of NetScaler MAS and for Port, specify 5557.

localized image

Click Continue.

Click Done.

localized image

Use NetScaler MAS to view key metrics for users and determine the following:

  • Browsing behavior of the users in your enterprise.
  • URL categories accessed by the users in your enterprise.
  • Browsers used to access the URLs or domains.

Use this information to determine whether the user’s system is infected by malware, or understand the bandwidth consumption pattern of the user. You can fine tune the policies on your NetScaler SWG appliance to restrict these users, or block some more websites. For more information about viewing the metrics on MAS, see the "Inspecting Endpoints" use case in MAS Use Cases.

Note

Set the following parameters by using the NetScaler command line.

At the command prompt, type: Copy

set syslogparams -sslInterception ENABLED

set cacheparameter -memLimit 100

set appflow param -AAAUserName ENABLED 

CLI Example

The following example includes all the commands used to configure interception and examination of the traffic to and from the enterprise network.

General configuration Copy

add ns ip 192.0.2.5 255.255.255.0

add ns ip 198.51.100.5 255.255.255.0 -type SNIP

add dns nameServer 203.0.113.2

add ssl certKey ns-swg-ca-certkey -cert ns_swg_ca.crt -key ns_swg_ca.key

set syslogparams -sslInterception ENABLED

set cacheparameter -memLimit 100

set appflow param -AAAUserName ENABLED 

Authentication configuration Copy

add authentication vserver explicit-auth-vs SSL

bind ssl vserver explicit-auth-vs -certkeyName ns-swg-ca-certkey

add authentication ldapAction swg-auth-action-explicit -serverIP 192.0.2.116 -ldapBase "CN=Users,DC=CTXNSSFB,DC=COM" -ldapBindDn "CN=Administrator,CN=Users,DC=CTXNSSFB,DC=COM" -ldapBindDnPassword zzzzzz -ldapLoginName sAMAccountName

add authenticationpolicy swg-auth-policy -rule true -action swg-auth-action-explicit

bind authentication vserver explicit-auth-vs -policy swg-auth-policy -priority 1

Proxy server and SSL interception configuration Copy

add cs vserver explicitswg PROXY 192.0.2.100 80 –Authn401 ENABLED –authnVsName explicit-auth-vs

set ssl parameter -defaultProfile ENABLED

add ssl profile swg_profile -sslInterception ENABLED

bind ssl profile swg_profile -ssliCACertkey ns-swg-ca-certkey

set ssl vserver explicitswg -sslProfile swg_profile

add ssl policy ssli-pol_ssli -rule true -action INTERCEPT

bind ssl vserver explicitswg -policyName ssli-pol_ssli -priority 100 -type INTERCEPT_REQ

URL categories configuration Copy

add ssl policy cat_pol1_ssli -rule "client.ssl.client_hello.SNI.URL_CATEGORIZE(0,0).GROUP.EQ("Finance") || client.ssl.client_hello.SNI.URL_CATEGORIZE(0,0).GROUP.EQ("Email")" -action BYPASS

bind ssl vserver explicitswg -policyName cat_pol1_ssli -priority 10 -type INTERCEPT_REQ

add ssl policy cat_pol2_ssli -rule "client.ssl.client_hello.sni.url_categorize(0,0).GROUP.EQ("Adult") || client.ssl.client_hello.sni.url_categorize(0,0).GROUP.EQ("Malware and SPAM") || client.ssl.client_hello.SNI.URL_CATEGORIZE(0,0).GROUP.EQ("Illegal/Harmful")" -action RESET

bind ssl vserver explicitswg -policyName cat_pol2_ssli -priority 20 -type INTERCEPT_REQ

AppFlow configuration to pull data into NetScaler MAS Copy

add appflow collector _swg_testswg_apfw_cl -IPAddress 192.0.2.41 -port 5557 -Transport logstream

set appflow param -templateRefresh 60 -httpUrl ENABLED -AAAUserName ENABLED -httpCookie ENABLED -httpReferer ENABLED -httpMethod ENABLED -httpHost ENABLED -httpUserAgent ENABLED -httpContentType ENABLED -httpVia ENABLED -httpLocation ENABLED -httpDomain ENABLED -cacheInsight ENABLED -urlCategory ENABLED

add appflow action _swg_testswg_apfw_act -collectors _swg_testswg_apfw_cl -distributionAlgorithm ENABLED

add appflow policy _swg_testswg_apfw_pol true _swg_testswg_apfw_act

bind cs vserver explicitswg -policyName _swg_testswg_apfw_pol -priority 1