PoC Guide: Protecting Gateway Virtual Servers with WAF, Bot, and Advanced Authentication Policies

Overview

Many Citrix ADC appliances host VPN and Citrix Gateway deployments that also provide security protections to other web applications. This PoC guide is designed to help protect VPN and Gateway virtual servers using tools already available on the Citrix ADC appliance. This guide covers protecting the portal login page with Bot security and protecting the credential form submission with WAF capabilities. Also, advanced authentication policies add context to user logons and enable multifactor authentication.

The flow of this configuration diagrammed as follows:

Config Flow

Configuration Options

This guide doesn’t provide an exclusive list of protections, nor is it the only way to configure them. For example, deploying both IP Reputation and rate limiting using a responder policy on a Gateway virtual server is common. This configuration is a supported method of deployment. It has a different outcome of dropping or resetting connections before the gateway login page is rendered.

Also, the WAF profile doesn’t have every protection enabled to prevent complex configuration, custom tuning, and potential issues. Further configuration to the WAF profile is possible, see the links in the references section for guidance.

Note:

CAPTCHA isn’t the most secure option for an extra factor, it’s only used for simplicity in explanation. Other MFA options such as TOTP or PUSH are better options - see the references section for links to help in deploying these options.

Prerequisites

This guide assumes a working knowledge of Citrix WAF deployment, Bot Security deployment, and Advanced Authentication Policies (nFactor). It makes assumptions that a gateway or authentication virtual server is already installed and configured. The following are requirements for the configuration:

  • Advanced Authentication Policies require release 12.1 build 57.18 or later
  • Web Application Firewall protections require release 12.1 build 57.18 or later
  • Bot Security protections require release 13.0 build 71.40 or later
  • Most of the features in this guide require a premium license
  • An existing server or service listening on port 80
  • An existing Gateway or authentication virtual server, with an existing advanced authentication configuration (advanced authentication or nFactor flow)
  • Enable the following features: Citrix Web App Firewall, Citrix Bot Management, and Reputation

Bot Protection

Bot Signatures

From Security > Citrix Bot Management > Signatures, select the Default Bot Signatures and click the Clone button. Apply a descriptive name, then click create.

Bot Profile Signatures

Create a Bot Management Profile and Policy

From Security > Citrix Bot Management > Profiles, select Add to create a new Bot Management Profile. Give the profile a descriptive name and select the previously created signature set.

Bot Profile

Select the profile to edit the advanced settings.

Add IP Reputation from the right column and check the box to enable it.

Bot Profile IP Reputation

Next, choose ‘Add’ under categories, select IP for the Type, check the box for Enabled and set the action to Drop. Last, check the box for ‘Log’ and set the log message to something descriptive.

Bot Profile IP Reputation 2

Bot Profile IP Reputation 3

Select Device Fingerprint from the right column, ensure that the ‘Enabled’ check box is NOT checked and click Update.

Bot Profile Device Fingerprint

The last setting for the Bot Profile is to enable rate limiting, select Rate Limit from the right column and check the box for enabled. Click ‘Add’ under Configure Resources, and add three URL type rate limit bindings for the following URLs:

  • /logon/LogonPoint/index.html
  • /logon/LogonPoint/tmindex.html
  • /vpn/index.html

Configure the rate limits as follows:

  • Enabled
  • Rate of 5
  • Period of 1000
  • Action of Drop
  • Log set to enabled
  • Log Message with a descriptive message title.

Bot Profile Rate Limit

The Bot Profile is now configured as follows:

Bot Profile Final

Create a Bot Management Policy by going to Security > Citrix Bot Management > Bot Policies and choosing Add. Select the previously created Bot Profile, with an expression as follows:


HTTP.REQ.URL.CONTAINS("/vpn")||HTTP.REQ.URL.CONTAINS("/logon")
<!--NeedCopy-->

Finally, the bot policy is bound by selecting ‘Policy Manager’. Select a Bind Point of ‘Default Global’, select ‘Click to select’ to select the policy. Highlight the previously created policy, and choose ‘Select’. Select ‘Bind’ then ‘Done’.

Bot Policy Bind

WAF Protection

It isn’t possible to bind a WAF policy directly to a Gateway or authentication virtual server. Also, binding a WAF policy globally with an expression that targets Gateway or authentication virtual servers won’t function as expected. The policy processing order causes this malfunction - WAF policies are processed after Gateway and authentication policies. See the image below for a traffic flow clarification.

Traffic Flow

The WAF protection policy uses an HTTP Callout to protect the logon page and invalidate the authentication flow if a WAF exception is caught. This configuration requires a pattern set (Patset) that includes the login URLs, a dummy service and load balancing virtual server, an HTTP callout, and the WAF policy and configuration.

Pattern Set

Navigate to AppExpert > Pattern Sets and select ‘Add’. Give the new Pattern Set a name, then select ‘Insert’ and add the following patterns:

  • /cgi/login (index 1)
  • /nf/auth/doAuthentication.do (index 2)

Pattern Set

Alternatively, create the pattern set from the CLI:


add policy patset GW_VPN_Patset
bind policy patset GW_VPN_Patset "/cgi/login" -index 1
bind policy patset GW_VPN_Patset "/nf/auth/doAuthentication.do" -index 2
<!--NeedCopy-->

Dummy Virtual Server and Service

The HTTP Callout uses a dummy virtual server. This virtual server doesn’t need to be publicly available, so it can be non-addressable. The virtual server DOES need to be up, so the back end server needs to be up and responding on port 80. A new service and virtual server are created in this guide, but a pre-existing virtual server can be used.

Go to Traffic Management > Load Balancing > Services and select ‘Add’. Give the service a descriptive name, set the protocol to HTTP and port to 80. Enter the IP address of the server and choose OK. Alternatively, create the service with an existing server. Use all default settings, including monitors bound to the service.

Load Balancing Service

Next create the load balancing virtual server by going to Traffic Management > Load Balancing > Virtual Servers and select ‘Add’. Give the server a descriptive name, set the protocol to HTTP, and set the IP address type to Non Addressable. Bind the previously created service to this virtual server by selecting ‘No Load Balancing Virtual Server Service Binding’ then ‘Click to select’ and selecting the service. There is now 1 service bound to the virtual server and the state is ‘UP’.

Load Balancing Virtual Server

HTTP Callout

Navigate to AppExpert > HTTP Callouts and select ‘Add’. Give the HTTP Callout a descriptive name, select ‘Virtual Server’ to receive the callout request, and select the dummy virtual server. In the Request to send to the server, select the type as Expression-Based, set the scheme to ‘HTTP’ and set the Full Expression to the following:


HTTP.REQ.FULL_HEADER.BEFORE_STR("\r\n\r\n")+"\r\nGW_VPN-WAF_Callout:abc\r\n\r\n"+HTTP.REQ.BODY(2048)
<!--NeedCopy-->

Note:

The name of the header here is ‘GW_VPN-WAF_Callout’ - the application firewall filtering expression uses it later. If the name is changed here, change the WAF header expression as well.

In the Server Response section, set the return type to BOOL and set the expression to ‘true’.

HTTP Callout

Alternatively, create the HTTP Callout from the CLI:


add policy httpCallout GW_VPN_WAF_Callout -vServer dummy-vserver-here -returnType BOOL -fullReqExpr HTTP.REQ.FULL_HEADER.BEFORE_STR("\r\n\r\n")+"\r\nGW_VPN-WAF_Callout:abc\r\n\r\n"+HTTP.REQ.BODY(2048) -scheme http -resultExpr true
<!--NeedCopy-->

Authentication Policy

Modify an existing LDAP authentication policy to use the HTTP Callout. Open the existing authentication policy by going to Security > AAA Application Traffic > Policies > Authentication > Advanced Policies > Policy, select the existing policy and choose ‘Edit’. Modify the existing expression to the following:


HTTP.REQ.URL.CONTAINS_ANY("GW_VPN_Patset") && SYS.HTTP_CALLOUT(GW_VPN_WAF_Callout)
<!--NeedCopy-->

Authentication Policy WAF Binding

Note:

Use this expression with any authentication policy where you want to protect the form fields on the logon page.

WAF Profile and Policy

To build the WAF profile go to Security > Citrix Web Application Firewall > Profiles and choose ‘Add’. Give the profile a descriptive name and select Web Application (HTML) and Basic Defaults. Open the newly created profile by choosing ‘Edit’ then select ‘Security Checks’ from the right hand column.

Enable the following security checks (disable all other settings):

  • Buffer Overflow - Log, Stats
  • Post Body Limit - Block, Log, Stats
  • HTML Cross-Site Scripting - Block, Log, Stats
  • HTML SQL Injection - Block, Log, Stats

WAF Security Checks

Next select ‘Profile Settings’ from the right hand column and set the Default Response to:


application/octet-stream
<!--NeedCopy-->

Then check the box for Log Every Policy Hit.

WAF Profile Settings

Next, configure the WAF policy by going to Security > Citrix Web Application Firewall > Policies > Firewall and choose ‘Add’. Give the policy a descriptive name and select the profile created in the previous step. For the expression, enter the following:


HTTP.REQ.HEADER("GW_VPN-WAF_Callout").EXISTS
<!--NeedCopy-->

Note:

The name of the header here must match the header in the HTTP Callout created earlier.

Last, bind the WAF policy to the dummy load balancing virtual server created earlier by going to Traffic Management > Load Balancing > Virtual Servers. Select the virtual server then choose ‘Edit’.

From the right hand column, select ‘Policies’ then click the ‘+’ plus to add a policy. Select policy App Firewall and type Request. Select the policy created previously then select ‘Bind’ and ‘Done’.

WAF Policy Binding

Alternatively, create the WAF configuration using the CLI as follows:


add appfw profile demo_appfw_profile -startURLAction none -denyURLAction none -fieldFormatAction none -bufferOverflowAction log stats -responseContentType "application/octet-stream" -logEveryPolicyHit ON -fileUploadTypesAction none

add appfw policy demo_appfw_policy "HTTP.REQ.HEADER(\"GW_VPN-WAF_Callout\").EXISTS" demo_appfw_profile

bind lb vserver dummy-vserver-here -policyName gw_appfw_policy -priority 100 -gotoPriorityExpression END -type REQUEST
<!--NeedCopy-->

Advanced Authentication Settings

There are two configurations related to authentication - encrypting user credentials from the client to the ADC within nFactor and IP reputation based MFA.

Encrypting User Credentials

The following setting enables the ADC to encrypt the credential set when the user submits the form data using ECDHE algorithms. To enable this setting, navigate to Citrix Gateway > Global Settings > Authentication Settings > Change Authentication AAA settings and set Login Encryption to ENABLED.

Authentication Login Encryption

Alternatively, change this setting from the CLI as follows:


set aaa parameter -loginEncryption ENABLED
<!--NeedCopy-->

IP Reputation Based MFA

Use IP Reputation with advanced authentication to prompt the user for an extra factor if the database includes the source address. Also, creatte a manually maintained dataset of addresses.

Important:

The following configuration example uses CAPTCHA as a means to provide another factor of authentication, but any other MFA tool can be used. As with all nFactor configurations, the policies, schemas, and policy labels shown here are simple examples - add an extra configuration to meet any specific login use case.

See the references section for additional details on configuring TOTP PUSH as a factor and additional CAPTCHA configurations.

Create a data set by going to AppExpert > Data Sets and selecting ‘Add’. Create a data set with a descriptive name, a type of ‘ipv4’ and click ‘Create’.

Malicious IP Data Set

Next, two advanced authentication policies need to be created by going to Security > AAA - Application Traffic > Policies > Authentication > Advanced Policies > Policy and select ‘Add’.

Create the first policy with a descriptive name, an action type of NO_AUTHN, and the expression set to ‘true’.

Advanced Policy Good IP

Create the second policy with a descriptive name, action type of NO_AUTHN, and an expression as follows:


CLIENT.IP.SRC.IPREP_IS_MALICIOUS || CLIENT.IP.SRC.TYPECAST_TEXT_T.CONTAINS_ANY("suspicious_ips")
<!--NeedCopy-->

Note:

Use the name of the previously created data set here.

Next, a CAPTCHA login schema profile is created by going to Security > AAA - Application Traffic > Login Schema > Profiles Tab and selecting ‘Add’. Give the profile a descriptive name then edit the Authentication Schema by selecting the ‘pencil’ edit icon. Browse to the LoginSchema directory, highlight SingleAuthCaptcha.xml, and choose Select.

Captcha Login Schema

Next, create an authentication policy label for the Captcha schema by going to Security > AAA - Application Traffic > Policies > Authentication > Advanced Policies > Policy Label and selecting ‘Add’. Give the PL a descriptive name and select the previously created captcha login schema. Bind the required LDAP action policy.

Note:

This example is reusing a previously created LDAP authentication action.

Captcha Policy Label

Create another policy label by selecting ‘Add’. Give this PL a descriptive name, and set the login schema to LSCHEMA_INT. Next, bind the two previously created NO_AUTHN authentication policies.

IP Check Policy Label

Last, set the next factor of the previously created authentication policy as this IP Reputation check policy label. It’s already bound to an authentication or Gateway virtual server. Highlight the authentication policy, select ‘edit binding’ then set the new policy label as the ‘Select Next Factor’ field.

Final Authentication Policy

Summary

Citrix ADC provides many built-in security protections that protect Gateway or Authentication virtual servers running on the same appliance. These protections have no impact on typical users as they try to log in to Citrix Gateway.

References

For additional information and configuration options, see the following articles:

Introduction to Citrix Web Application Firewall - Citrix Product Docs: Introduction to Citrix Web Application Firewall

Citrix Web Application Firewall PoC Guide - proof of concept deployment guide for Citrix Web Application Firewall

Citrix Training for Application Delivery and Security - Citrix Education Training for Application Delivery and Security

Getting started with Citrix ADC - Citrix Product Docs: Getting started with Citrix ADC - Packet Flow

IP Reputation - Citrix Product Docs: IP Reputation

Bot Management - Citrix Product Docs: Bot Management

Bot Detection - Citrix Product Docs: Bot Detection

nFactor Authentication - Citrix Product Docs: nFactor Authentication

Citrix ADC - nFactor Basics Cheat Sheet - Citrix Tech Zone: Diagrams and Posters Citrix ADC - nFactor Basics Cheat Sheet

CTX216091 - supporting re-Captcha with nFactor

nFactor for Citrix Gateway with Push Token - proof of concept deployment guide for TOTP push tokens for Citrix Gateway

PoC Guide: Protecting Gateway Virtual Servers with WAF, Bot, and Advanced Authentication Policies