Gateway

Configure DTLS VPN virtual server using SSL VPN virtual server

You can configure a DTLS VPN virtual server for NetScaler Gateway using the same IP address and port number of a configured SSL VPN virtual server. Configuring DTLS VPN virtual servers enables you to bind the advanced DTLS ciphers and certificates to the DTLS traffic for an enhanced security. From release 13.0 build 47.x, the DTLS 1.2 protocol is supported in addition to the earlier supported DTLS 1.0 protocol.

Important:

  • By default, the DTLS functionality is set to ON for the existing SSL VPN virtual server. Disable the functionality for the server before creating the DTLS VPN virtual server.

  • SNI for DTLS gateway virtual server is supported in NetScaler Gateway release 13.0 build 64.x and later.

  • Starting from NetScaler release 13.0 build 79.x, the helloverifyrequest parameter is enabled by default. Enabling the helloverifyrequest parameter on the DTLS profile helps mitigate the risk of an attacker or bots overwhelming the network throughput, potentially leading to outbound bandwidth exhaustion. That is, it helps mitigate the DTLS DDoS amplification attack. For details about the helloverifyrequest parameter, see DTLS profile.

  • When handling the UDP traffic, the NetScaler appliance memory consumption increases if the back-end servers push a lot of traffic. As a result, the NetScaler appliance cannot push this traffic to the client because of the TCP MUX connection on the client side. In such cases, Citrix recommends that you use the DTLS protocol.

Points to note

  • DTLS VPN virtual server on a NetScaler Gateway appliance can be configured from release 13.0 build 58.x.

  • Before you configure a DTLS VPN virtual server on a NetScaler Gateway appliance, you must have configured an SSL VPN virtual server on the appliance.

  • The DTLS VPN virtual server uses the IP address and the port number of the configured SSL VPN virtual server.

  • If the DTLS handshake fails, the connection falls back to TLS.

  • To use DTLS only, you can disable TLS by binding only the DTLS ciphers to the DTLS traffic.

  • DTLS multiplexing is not supported when TCP traffic is tunneled over VPN.

Configure a DTLS VPN virtual server by using the GUI

  1. On the Configuration tab, navigate to NetScaler Gateway > Virtual Servers.
  2. On the NetScaler Gateway Virtual Servers page, select the existing SSL VPN virtual server and click Edit.
  3. On the VPN Virtual Server page, click the edit icon and clear the DTLS checkbox and click OK.
  4. Navigate back to NetScaler Gateway > Virtual Servers and click Add.
  5. Under Basic Settings, enter the values for the following fields and Click OK.

    • Name - A name for the DTLS VPN virtual server
    • Protocol - Select DTLS
    • IP Address – Enter the SSL VPN virtual server IP address
    • Port – Enter the SSL VPN virtual server port number
  6. On the NetScaler Gateway Virtual Servers page, select the virtual server that you added previously and click Edit.
  7. Under Certificates, click the arrow icon to select the required cert key.
  8. In the Server Certificate Binding > Select Server Certificate, select an existing SSL cert key or create one.
  9. Click Bind on the Server Certificate Binding page.

Note:

  • To use DTLS 1.2, click the edit icon under SSL Parameters and select the DTLS 1.2 checkbox.
  • Server name indication (SNI) is supported for VPN virtual server of type DTLS.

Configure a DTLS VPN virtual server by using the CLI

At the command prompt, type the following set of commands:

set vpn vserver <ssl vpnvserver name> -dtls off
add vpn vserver <dtls vpnvserver name> dtls <ssl vpn vserver IP> <ssl vpn vserver port>
bind ssl vservser <dtls vpnvserver name> -certkeyName <existing ssl cert key or newly created cert key>
<!--NeedCopy-->

DTLS 1.0 works as usual, to use DTLS 1.2, type the following command:

set ssl vserver < dtls vpnvserver name > -dtls12 ENABLED
<!--NeedCopy-->

Example

set vpn vserver vpnvserver  -dtls off
add vpn vserver vpnvserver_dtls dtls 10.108.45.220 443
bind ssl vservser vpnvserver_dtls -certkeyName sslcertkey
set ssl vserver vpnvserver_dtls -dtls12 ENABLED
<!--NeedCopy-->

To enable SNI for the DTLS type VPN virtual server, type the following command:

set ssl vserver <vServerName>@ [-SNIEnable ( ENABLED | DISABLED )
bind ssl vservser <dtls vpnvserver name> -certkeyName <existing ssl cert key or newly created cert key> <-SNICert>
<!--NeedCopy-->

Example

set ssl vserver _XD_10.106.40.225_443_DTLS -sniEnable eNABLED
bind ssl vserver _XD_10.106.40.225_443_DTLS -certkeyName "Insight/*.insight.net.cer_CERT_" -snICert

<!--NeedCopy-->

Supported DTLS VPN virtual server parameters

Only the following parameters are supported for the VPN virtual server of type DTLS.

  • Ipaddress
  • Port
  • State
  • Double hop
  • downstateflush
  • Comment
  • Appflowlog
  • Icmpvsrresponse

Unsupported DTLS VPN virtual server parameters

The following parameters are not supported for the VPN virtual server of type DTLS.

  • LinuxEPAPluginUpgrade
  • WindowsEPAPluginUpgrade
  • maxAAAUsers
  • icaProxySessionMigration
  • loginOnce
  • cginfraHomePageRedirect
  • logoutOnSmartcardRemoval
  • l2Conn
  • MacEPAPluginUpgradeRHIstate
  • icaOnly
  • maxLoginAttempts
  • failedLoginTimeout
  • vserverFqdn
  • deviceCert
  • rdpServerProfileName
  • pcoipVserverProfileName
  • tcpProfileName
  • netProfile
  • authnProfile
  • Listenpriority
  • Listenpolicy
  • ipset
  • certkeyNames

Configure a DTLS virtual server using the XenApp and XenDesktop wizard

  1. Click XenApp and XenDesktop under Integrate with Citrix Products.

  2. On the XenApp and XenDesktop setup wizard, select StoreFront and click Continue.

  3. On the NetScaler Gateway Settings page, enable the Configure a DTLS Listener for this VPN VServer checkbox and click Continue.

    The DTLS Listener is now configured.

  4. In Server Certificate, click Choose File to select server certificate and click Continue.

  5. Specify the certificate file and Key file name and click Continue.

  6. Under the StoreFront section, provide the values for the required parameters as follows and click Continue.

  7. Under the Authentication section, provide the values for the required parameters as follows and click Test Connection.

    Ensure that the server is reachable, provide Time out value and Server Logon Name Attribute, and click Continue.

    Specify configuration values

  8. Click Done to complete the configuration.

    Configuration complete

Limitations

  • DTLS 1.2 is supported on Windows clients only.
  • VPN virtual server with DTLS does not support IPv6 addresses.
  • SSL policy and SSL profile are not supported on a DTLS VPN virtual server. Also, the binding of VPN virtual server policy is not supported.
  • The NetScaler Gateway DTLS VPN virtual server does not support the following features. However, the NetScaler Gateway SSL VPN virtual server supports these features:
    • Unified Gateway with content switching virtual server
    • UDP MUX
    • UDP Video
    • UDP Audio
    • PCOIP
  • The stat vpn vserver command related to the statistics for the DTLS VPN virtual server is not supported.
  • HSM keys are not supported with the DTLS virtual server.
  • Cluster configuration is not supported.
Configure DTLS VPN virtual server using SSL VPN virtual server