Q. Which hardware platforms are supported for Citrix Secure Web Gateway (SWG)?

A. Citrix SWG is available is on the following hardware platforms:

  • Citrix SWG MPX 14020/14030/14040
  • Citrix SWG MPX 14020-40G/14040-40G
  • Citrix SWG MPX 14060-40S/14080-40S/14100-40S
  • Citrix SWG MPX 5901/5905/5910
  • Citrix SWG MPX/SDX 8905/8910/8920/8930
  • All Cavium N2 and N3 based SDX platforms

Q. What are the two capture modes that I can set when creating a proxy on the SWG appliance?

A. The SWG solution supports explicit and transparent proxy modes. In explicit proxy mode, the clients must specify an IP address and a port in their browsers, unless the organization pushes the setting onto the client’s device. This address is the IP address of a proxy server that is configured on the SWG appliance. Transparent proxy, as the name implies, is transparent to the client. The SWG appliance is configured in an inline deployment, and the appliance transparently accepts all HTTP and HTTPS traffic.

Q. Does Citrix SWG have a configuration wizard?

A. Yes. The wizard is located on the SWG node in the configuration utility.

Q. Which Citrix ADC features are used when configuring Citrix SWG?

A. Responder, AAA-TM, content switching, SSL, forward proxy, SSL interception, and URL filtering.

Q. What authentication methods are supported on Citrix SWG?

A. In the explicit proxy mode, LDAP, RADIUS, TACACS+, and NEGOTIATE authentication methods are supported. In transparent mode, only LDAP authentication is supported.

Q. Is it necessary to install the CA Certificate on the client device?

A. Yes. The Citrix SWG appliance emulates the origin server certificate. This server certificate must be signed by a trusted CA certificate, which must be installed on the clients’ devices so that the client can trust the regenerated server certificate.

Q. Can I use a Citrix ADC Platform license on the Citrix SWG platform?

A. No. The Citrix SWG platform requires its own platform license.

Q. Is HA supported for a Citrix Secure Web Gateway deployment?

A. Yes.

Q. Which file contains the logs for Citrix SWG?

A. The ns.log file records Citrix SWG information. You must enable logging by using the CLI or GUI. At the command prompt, type: set syslogparams -ssli Enabled.

In the GUI, navigate to System > Auditing. In Settings, click Change Auditing Syslog Settings. Select SSL Interception.

Q. Which nsconmsg commands can I use to troubleshoot issues?

A. You can use one or both of the following commands:

nsconmsg -d current -g ssli
nsconmsg -d current -g err

Q. If the certificate bundle is built-in, how do I get updates?

A. The latest bundle is included in the build. For updates, contact Citrix Support.

Q. Can data be captured on Citrix ADM from Citrix SWG?

A. Yes. You must enable Analytics in the Secure Web Gateway wizard.

Important: Ensure that you are using the same 12.0 build for MAS and SWG.

Q. What is URL Filtering Service?

A. URL Filtering is a web content filter that controls access to a list of restricted websites and web pages. The filter restricts user access to inappropriate content on the internet based on URL category, category groups, and reputation score. A network administrator can monitor the web traffic and block user access to highly risky websites. You can implement the feature by either using URL Categorization or URL List feature based on policy enforcement. For more information, see URL Filtering topic.

Q. How does URL Filtering fit into Citrix SWG?

A. URL Filtering leverages with Citrix SWG appliance to control access to specific websites. The SWG appliance at the edge of the network acts as a proxy to intercept the web traffic and perform actions such as authentication, inspection, caching, and redirection. The filter then controls access to websites using URL Categorization or URL List feature with policy enforcement.

Q. How often is the URL Categorization database updated?

A. If you are using URL Categorization feature to control access to restricted websites, you must periodically update the categorization database with the latest data from cloud-based vendor service. To update the database, the Citrix SWG GUI enables you to configure the URL filtering parameters such as Hours Between DB Updates” or “Time of Day to Update DB.

Q. What use-cases are a best fit for URL Filtering service today?

A. Following are some of the targeted use cases for enterprise customers:

Q. Is there a memory limit for caching in URL Categorization service?

A. Yes. The memory limit for caching is set as 10 GB and you can configure it through the CLI interface only.

Q. What does the URL Categorization database return if no category matches the incoming request?

A. If the incoming request does not match a category or if the URL is malformed, the appliance marks the URL as “Uncategorized” and sends the request to the cloud-based service maintained by the categorization vendor. The appliance continues to monitor the cloud query feedback and updates the cache so that future requests can benefit from the cloud lookup.

Q. What is a URL reputation score and how do you control access to malicious websites based on the reputation score?

A. A URL reputation score is a rating that Citrix SWG assigns to a website. The value can range from 1 to 4, where 4 is a malicious web site and 1 is a clean website. If a network administrator monitors a user accessing highly risky web sites, then access to such sites is controlled based on the URL reputation score and security level you have configured on the Citrix SWG appliance. For more information, see URL Reputation Score.

Q. If you filter websites using a URL Set but incorrectly filter a specific website, what is the process to enable exceptional websites?

A. URL Filtering uses a responder policy to control access to web sites. To whitelist a specific URL as an exception, in the SWG wizard, create a patset policy and add the exceptional URL with “allow” action. Once you create the policy, exit the wizard and do the following steps:

To change the priority of a policy expression by using the Citrix SWG GUI:

  1. Log on to the Citrix SWG appliance and navigate to Secure Web Gateway > Proxy Virtual Servers.
  2. In the details page, select a server and click Edit.
  3. In the Proxy Virtual Servers page, go to Policies section and click the pencil icon to edit the details.
  4. Select the patset policy and in Policy Binding page, specify the priority value lower than other bound policies.
  5. Click Bind and Done.

Q. What are the key benefits of using Citrix SWG URL Filtering feature?

A. URL Filtering feature is easy to deploy, configure, and use. It provides the following benefits and allows enterprise customers to:

  • Monitor web traffic and user transaction
  • Filter malware and Internet-borne security threats.
  • Control unauthorized access to malicious websites.
  • Enforce corporate security policies to control access to restricted data.

Q. If you are using a URL List feature to filter websites, how to edit a URL list policy?

A. You can modify a URL List policy through the Citrix SWG Wizard by overwriting or deleting the imported list bound to the responder policy.

Q. What does the metadata associated to a URL contain?

A. Each URL in the categorization database has a metadata associated to it. The metadata contains an URL category, category group, and reputation score information. For example, if the URL is a shopping portal, the metadata will be Shopping, Shopping/Retail, and 1 respectively.

Use the following expressions to get these values for the incoming URL. The expressions are given below:


Q. What type of license and subscription you need for URL Categorization feature?

A. URL Categorization feature requires an URL Threat Intelligence subscription service (available for one year or three years) with Citrix SWG edition.

Q. What are the ways I can configure URL Filtering?

A. There are two ways of configuring URL Filtering. You can either do it through the Citrix SWG command interface or through the Citrix SWG Wizard. Citrix recommends that you use the wizard to configure filtering policies.

Q. What are the types of URL categories that you can block?

A. The URL Categorization database contains millions of URLs with metadata. The administrator can configure a responder policy to decide which URL categories can be blocked and which URL categories can be allowed for user access. For information about the URL category mapping, see Mapping categories page.

Q. What must we do if we are unable to access Origin servers that use WebSocket, such as whatsapp

You must enable webSocket in the default HTTP profile.

At the CLI, type:

> set httpprofile nshttp_default_profile -webSocket ENABLED

What is ICAP?

ICAP stands for Internet Content Adaption Protocol.

Which version of Citrix SWG supports ICAP?

ICAP is supported in Citrix SWG release 12.0 build 57.x and later.

What are the two ICAP modes supported on Citrix SWG?

Request modification (REQMOD) mode and response modification (RESPMOD) mode are supported.

What is the default port for ICAP?