Product Documentation

SSL Interception

Jul 19, 2017

A NetScaler Secure Web Gateway (SWG) appliance configured for SSL interception acts as a proxy. It can intercept and decrypt SSL/TLS traffic to inspect the unencrypted request and enable a company to enforce compliance rules and security checks. SSL Interception uses a policy that specifies which traffic to intercept, block, or allow. For example, traffic to and from financial web sites, such as banks, must not be intercepted, but other traffic can be intercepted, and blacklisted sites can be identified and blocked. Citrix recommends that you configure one generic policy to intercept traffic and more specific policies to bypass some traffic.

The client and the NetScaler SWG proxy establish an HTTPS/TLS handshake. The SWG proxy establishes another HTTPS/TLS handshake with the server and receives the server certificate. The proxy verifies the server certificate on behalf of the client, and also checks the validity of the server certificate by using Online Certificate Status Protocol (OCSP). It regenerates the server certificate, signs it by using the key of the CA certificate installed on the appliance, and presents it to the client. Therefore, one certificate is used between the client and the NetScaler appliance, and another certificate between the appliance and the back-end server.


The CA certificate that is used to sign the server certificate must be preinstalled on all the client devices, so that the regenerated server certificate is trusted by the client.

For intercepted HTTPS traffic, the SWG proxy server decrypts the outbound traffic, accesses the clear text HTTP request, and can use any NetScaler Layer 7 application to process the traffic, such as by looking into the plain text URL and allowing or blocking access on the basis of the corporate policy and URL reputation. If the policy decision is to allow access to the origin server, the proxy server forwards the reencrypted request to the destination service ( on the origin server). The proxy decrypts the response from the origin server, accesses the clear text HTTP response, and optionally applies any policies to the response. The proxy then reencrypts the response and forwards it to the client. If the policy decision is to block the request to the origin server, the proxy can send an error response, such as HTTP 403, to the client.

To perform SSL interception, in addition to the proxy server configured earlier, you must configure the following on an SWG appliance:

  • SSL profile
  • SSL policy 
  • CA certificate store
  • SSL-error autolearning and caching