Authentication, authorization, and auditing application traffic

Configure DTLS VPN virtual server using SSL VPN virtual server

You can configure a DTLS VPN virtual server for a Citrix ADC appliance using the same IP and port number of a configured SSL VPN virtual server. Configuring DTLS VPN virtual servers enables you to bind the advanced DTLS ciphers and certificates to the DTLS traffic for an enhanced security. Also, DTLS 1.2 protocol is supported in addition to the earlier supported DTLS 1.0 protocol.

Note: By default, the DTLS functionality is set to ON for the existing SSL VPN virtual server. You must disable the functionality for the server before creating the DTLS VPN virtual server.

Points to note

  • Before you configure a DTLS VPN virtual server on a Citrix ADC appliance, you must have configured an SSL VPN virtual server on the appliance.

  • The DTLS VPN virtual server uses the IP address and the port number of the configured SSL VPN virtual server.

  • By default, the DTLS functionality is set to ON for the existing SSL VPN virtual server. You must disable the functionality for the server before creating the DTLS VPN virtual server.

  • SSL policy and SSL profile are not supported on a DTLS VPN virtual server. Also, binding of VPN virtual server policy is not supported.

  • Following features are not supported for DTLS VPN virtual server:
    • Unified Gateway with CS virtual server
    • UDP MUX
    • UDP Audio
    • PCOIP
  • Following features are not supported for DTLS 1.2 protocol:
    • ICA Proxy

      • EDT
      • DTLS
      • Framehawk
      • UDP Audio
    • HDX Insight
    • Gateway Insight
  • The following command releated to the statistics for DTLS VPN virtual server is not supported. stat vpn vserver

Configure DTLS VPN virtual server

To configure a DTLS VPN virtual server by using the Citrix ADC GUI

  1. On the Configuration tab, navigate to Citrix Gateway > Virtual Servers.
  2. On the Citrix Gateway Virtual Servers page, select the existing SSL VPN virtual server and click Edit.
  3. On the VPN Virtual Server page, click the edit icon and uncheck the DTLS checkbox and click OK.

    localized image

  4. Click the back arrow icon on the VPN Virtual Server to navigate to Citrix Gateway Virtual Servers page and click Add.

    localized image

  5. Under Basic Settings, enter the values for the following fields: Name - A name for the DTLS VPN virtual server; Protocol - Select DTLS from the drop-down; IPAddress – Enter SSL VPN v-server IP address; Port – Enter SSL VPN v-server port number. Click OK.

    localized image

  6. On VPN Virtual Servers page, click arrow under Certificates to select the required cert key. You can use an existing SSL cert key or create a new one. Click the radio button next to the desired cert key and click Select.

    localized image

  7. Click Bind on the Server Certificate Binding page.

    localized image

  8. To use DTLS 1.2, enable the same. On the VPN Virtual Servers page, click edit icon under SSL Parameters. Enable DTLS 1.2 checkbox and click OK.

    localized image

    DTLS VPN virtual server configuration is now complete.

To configure a DTLS VPN virtual server by using the command line interface, at the command prompt, type the following sets of commands:

set vpn vserver <ssl vpnvserver name> -dtls off
add vpn vserver <dtls vpnvserver name> dtls <ssl vpn vserver IP> <ssl vpn vserver port>
bind ssl vservser <dtls vpnvserver name> -certkeyName <existing ssl cert key or newly created cert key>

DTLS 1.0 works as usual, to use DTLS 1.2, type the following command:

set ssl vserver < dtls vpnvserver name > -dtls12 ENABLED

Example

set vpn vserver vpnvserver  -dtls off
add vpn vserver vpnvserver_dtls dtls 10.108.45.220 443
bind ssl vservser vpnvserver_dtls -certkeyName sslcertkey
set ssl vserver vpnvserver_dtls -dtls12 ENABLED

The list of supported DTLS VPN virtual server parameters are as follows:

  • Ipaddress
  • Port
  • State
  • Double hop
  • downstateflush
  • Comment
  • Appflowlog
  • Icmpvsrresponse

To configure DTLS virtual server using XA/XD wizard

  1. On the XA/XD setup wizard, select StoreFront and click Continue.

    localized image

  2. On Citrix Gateway Settings page, enable Configure a DTLS Listener for this VPN VServer checkbox and click Continue.

    localized image

  3. Notice that DTLS Listener is now configured. Click Choose File to select server certificate and click Continue.

    localized image

  4. Specify certificate file and Key file name and click Continue.

    localized image

  5. Under the StoreFront section, provide the values for the required parameters as shown below and click Continue.

    localized image

  6. Provide the values for the required parameters as shown below and click Test Connection.

    localized image

  7. Ensure that the server is reachable, provide Time out value and Server Logon Name Attribute, and click Continue.

    localized image

  8. Finally, click Done to complete the configuration.

    localized image

Configure DTLS VPN virtual server using SSL VPN virtual server