Getting started with SSL forward proxy

Important:

  • OCSP check requires an internet connection to check the validity of certificates. If your appliance is not accessible from the internet by using the NSIP address, you must add access control lists (ACLs) to perform NAT from the NSIP address to the subnet IP (SNIP) address, which is accessible from the Internet. For example,

     add ns acl a1 ALLOW -srcIP = <NSIP> -destIP "!=" 10.0.0.0-10.255.255.255
    
     add rnat RNAT-1 a1 -natIP <SNIP>
    
     bind rnat RNAT-1 -natIP <SNIP>
    
     apply acls
    
  • You must specify a DNS name server to resolve domain names.
  • Make sure that the date on the appliance is synchronized with the NTP servers. If the date is not synchronized, the appliance cannot effectively verify whether an origin server certificate is an expired one.

To use the SSL forward proxy feature, you must perform the following tasks:

  • Add a proxy server in explicit or transparent mode.
  • Enable SSL interception.
    • Configure an SSL profile.
    • Add and bind SSL policies to the proxy server.
    • Add and bind a CA certificate-key pair for SSL interception.

Note:

An ADC appliance configured in transparent proxy mode can intercept only HTTP and HTTPS protocols. To bypass any other protocol, such as telnet, you must add the following listen policy on the proxy virtual server.

The virtual server now accepts only HTTP and HTTPS incoming traffic.

set cs vserver transparent-pxy1 PROXY * * -cltTimeout 180 -Listenpolicy "CLIENT.TCP.DSTPORT.EQ(80) || CLIENT.TCP.DSTPORT.EQ(443)"`

You might need to configure the following features, depending on your deployment:

  • Authentication Service (recommended) – to authenticate users.  Without the Authentication Service, user activity is based on client IP address.
  • URL Filtering – to filter URLs on the basis of categories, reputation score, and URL lists.
  • Analytics – to view user activity, user risk indicators, bandwidth consumption, and transactions breakdown in Citrix Application Delivery Management (ADM).

SSL forward proxy wizard

The SSL forward proxy wizard provides administrators with a tool for managing the entire SSL forward proxy deployment by using a web browser. It helps guide the customers to bring up an SSL forward proxy service quickly and helps simplify the above configuration by following a sequence of well-defined steps.

  1. Navigate to Security > SSL Forward Proxy. In Getting Started, click SSL Forward Proxy Wizard.

    localized image

  2. Follow the steps in the wizard to configure your deployment.

Add a listen policy to the transparent proxy server

  1. Navigate to Security >SSL Forward Proxy > Proxy Virtual Servers. Select the transparent proxy server and click Edit.

  2. Edit Basic Settings, and click More.

  3. In Listen priority, enter 1.

  4. In Listen Policy Expression, enter the following expression:

    (CLIENT.TCP.DSTPORT.EQ(80)||CLIENT.TCP.DSTPORT.EQ(443))
    

    This expression assumes standard ports for HTTP and HTTPS traffic. If you have configured different ports, for example 8080 for HTTP or 8443 for HTTPS, modify the above expression to reflect those ports.

Limitations

SSL forward proxy is not supported in a cluster setup, in admin partitions, and on a Citrix ADC FIPS appliance.