PoC Guide: Protecting Gateway Virtual Servers with WAF, Bot, and Advanced Authentication Policies

Overview

Many VPN and Citrix Gateway deployments are hosted by Citrix ADC appliances that are also providing security protections to other web applications. This PoC guide is designed to help protect VPN and Gateway virtual servers using tools already available on the Citrix ADC appliance. This guide covers protecting the portal login page with Bot security and protecting the credential form submission with WAF capabilities. Additionally, advanced authentication policies are used to add context to user logons and add multifactor authentication.

The flow of this configuration diagrammed as follows:

Config Flow

Configuration Options

This guide does not provide an exclusive list of protections, nor is it the only way to configure them. For example, both IP Reputation and rate limiting can be deployed using a responder policy on a Gateway virtual server. This configuration is a supported method of deployment but has a different outcome of dropping or resetting connections before the gateway login page is rendered.

Also, the WAF profile does not have every protection enabled. This is done to prevent complex configuration, custom tuning, and potential issues. Further configuration to the WAF profile is possible, see the links in the references section for guidance.

Regarding authentication, CAPTCHA is not the most secure option for an extra factor, it was only used for simplicity in explanation. Other MFA options such as TOTP or PUSH are recommended - see the references section for links to help in deploying these options.

Prerequisites

This guide assumes a working knowledge of Citrix WAF deployment, Bot Security deployment, and Advanced Authentication Policies (nFactor). It makes assumptions that a gateway or authentication virtual server is already installed and configured. The following are requirements for the configuration:

  • Advanced Authentication Policies require release 12.1 build 57.18 or later
  • Web Application Firewall protections require release 12.1 build 57.18 or later
  • Bot Security protections require release 13.0 build 71.40 or later
  • The majority of the features in this guide require a premium license
  • An existing server or service listening on port 80
  • An existing Gateway or authentication virtual server, with an existing advanced authentication configuration (advanced authentication or nFactor flow)
  • The following features must be enabled: Citrix Web App Firewall, Citrix Bot Management, and Reputation

Bot Protection

Bot Signatures

From Security > Citrix Bot Management > Signatures, select the Default Bot Signatures and click the Clone button. Apply a descriptive name, then click create.

Bot Profile Signatures

Create a Bot Management Profile and Policy

From Security > Citrix Bot Management > Profiles, select Add to create a new Bot Management Profile. Give the profile a descriptive name and select the previously created signature set.

Bot Profile

Once the profile is created, select it to edit the advanced profile settings.

Add IP Reputation from the right column and check the box to enable it.

Bot Profile IP Reputation

Next, choose ‘Add’ under categories, select IP for the Type, check the box for Enabled and set the action to Drop. Last, check the box for ‘Log’ and set the log message to something descriptive.

Bot Profile IP Reputation 2

Bot Profile IP Reputation 3

Select Device Fingerprint from the right column, ensure that the ‘Enabled’ check box is NOT checked and click Update.

Bot Profile Device Fingerprint

The last setting for the Bot Profile is to enable rate limiting, select Rate Limit from the right column and check the box for enabled. Click ‘Add’ under Configure Resources, and add three URL type rate limit bindings for the following URLs:

  • /logon/LogonPoint/index.html
  • /logon/LogonPoint/tmindex.html
  • /vpn/index.html

These rate limits are enabled, with a rate of 5, period of 1000, action of Drop, log set to be enabled, and Log Message with a descriptive message title.

Bot Profile Rate Limit

The Bot Profile is now be configured as follows:

Bot Profile Final

Create a Bot Management Policy by going to Security > Citrix Bot Management > Bot Policies and choosing Add. Select the previously created Bot Profile, with an expression as follows:


HTTP.REQ.URL.CONTAINS("/vpn")||HTTP.REQ.URL.CONTAINS("/logon")

Finally, the bot policy is bound by selecting ‘Policy Manager’. Select a Bind Point of ‘Default Global’, select ‘Click to select’ to select the policy. Highlight the previously created policy, and choose ‘Select’. Select ‘Bind’ then ‘Done’.

Bot Policy Bind

WAF Protection

It is not possible to bind a WAF policy directly to a Gateway or authentication virtual server. Additionally, binding a WAF policy globally with an expression that targets Gateway or authentication virtual servers will likely not function as expected. This is due to the order in which policies are processed - with WAF policies being processed after Gateway and authentication policies.

The WAF protection policy uses an HTTP Callout to protect the logon page and invalidate the authentication flow if a WAF exception is caught. This configuration requires a pattern set (Patset) containing the login URLs, a dummy service and load balancing virtual server, an HTTP callout, and the WAF policy and configuration.

Pattern Set

Navigate to AppExpert > Pattern Sets and select ‘Add’. Give the new Pattern Set a name, then select ‘Insert’ and add the following patterns:

  • /cgi/login (index 1)
  • /nf/auth/doAuthentication.do (index 2)

Pattern Set

Alternatively, the pattern set can be created from the CLI:


add policy patset GW_VPN_Patset
bind policy patset GW_VPN_Patset "/cgi/login" -index 1
bind policy patset GW_VPN_Patset "/nf/auth/doAuthentication.do" -index 2

Dummy Virtual Server and Service

A dummy virtual server is used for the HTTP Callout. This virtual server does not need to be publicly available, so it can be non-addressable. The virtual server DOES need to be up, thus the back end server needs to be up and responding on port 80. A new service and virtual server will be created in this guide, but a pre-existing virtual server can be used.

Go to Traffic Management > Load Balancing > Services and select ‘Add’. Give the service a descriptive name, set the protocol to HTTP and port to 80. Enter the IP address of the server and choose OK. Alternatively, an existing server may be used to create the service. All of the default settings may be used, including monitors that are bound to the service.

Load Balancing Service

Next create the load balancing virtual server by going to Traffic Management > Load Balancing > Virtual Servers and select ‘Add’. Give the server a descriptive name, set the protocol to HTTP, and set the IP address type to Non Addressable. Bind the previously created service to this virtual server by selecting ‘No Load Balancing Virtual Server Service Binding’ then ‘Click to select’ and selecting the service. There is now 1 service bound to the virtual server and the state is ‘UP’.

Load Balancing Virtual Server

HTTP Callout

Navigate to AppExpert > HTTP Callouts and select ‘Add’. Give the HTTP Callout a descriptive name, select ‘Virtual Server’ to receive the callout request, and select the dummy virtual server. In the Request to send to the server, select the type as Expression-Based, set the scheme to ‘HTTP’ and set the Full Expression to the following:


HTTP.REQ.FULL_HEADER.BEFORE_STR("\r\n\r\n")+"\r\nGW_VPN-WAF_Callout:abc\r\n\r\n"+HTTP.REQ.BODY(2048)

Note:

The name of the header here is ‘GW_VPN-WAF_Callout’ - this will be used later in the application firewall filtering expression. If it is changed, it must also be changed in the WAF header expression as well.

In the Server Response section, set the return type to BOOL and set the expression to ‘true’.

HTTP Callout

Alternatively, the HTTP Callout can be created from the CLI:


add policy httpCallout GW_VPN_WAF_Callout -vServer dummy-vserver-here -returnType BOOL -fullReqExpr HTTP.REQ.FULL_HEADER.BEFORE_STR("\r\n\r\n")+"\r\nGW_VPN-WAF_Callout:abc\r\n\r\n"+HTTP.REQ.BODY(2048) -scheme http -resultExpr true

Authentication Policy

An existing LDAP authentication policy will be modified to use the HTTP Callout. Open the existing authentication policy by going to Security > AAA Application Traffic > Policies > Authentication > Advanced Policies > Policy, select the existing policy and choose ‘Edit’. Modify the existing expression to the following:


HTTP.REQ.URL.CONTAINS_ANY("GW_VPN_Patset") && SYS.HTTP_CALLOUT(GW_VPN_WAF_Callout)

Authentication Policy WAF Binding

Note:

This expression can be used with any authentication policy where you want to protect the form fields on the logon page.

WAF Profile and Policy

To build the WAF profile go to Security > Citrix Web Application Firewall > Profiles and choose ‘Add’. Give the profile a descriptive name and select Web Application (HTML) and Basic Defaults. Open the newly created profile by choosing ‘Edit’ then select ‘Security Checks’ from the right hand column.

Ensure that only the following security checks are enabled (all others are not checked):

  • Buffer Overflow - Log, Stats
  • Post Body Limit - Block, Log, Stats
  • HTML Cross-Site Scripting - Block, Log, Stats
  • HTML SQL Injection - Block, Log, Stats

WAF Security Checks

Next select ‘Profile Settings’ from the right hand column and ensure that the Default Response is set to:


application/octet-stream

Then check the box for Log Every Policy Hit.

WAF Profile Settings

Next, configure the WAF policy by going to Security > Citrix Web Application Firewall > Policies > Firewall and choose ‘Add’. Give the policy a descriptive name and select the profile created in the previous step. For the expression, enter the following:


HTTP.REQ.HEADER("GW_VPN-WAF_Callout").EXISTS

Note:

The name of the header here must match the header in the HTTP Callout created earlier.

Last, bind the WAF policy to the dummy load balancing virtual server created earlier by going to Traffic Management > Load Balancing > Virtual Servers and selecting the virtual server then choosing ‘Edit’.

From the right hand column, select ‘Policies’ then click the ‘+’ plus to add a policy. Select policy App Firewall and type Request. Select the policy created previously then select ‘Bind’ and ‘Done’.

WAF Policy Binding

Alternatively, the WAF configuration can be created using the CLI as follows:


add appfw profile demo_appfw_profile -startURLAction none -denyURLAction none -fieldFormatAction none -bufferOverflowAction log stats -responseContentType "application/octet-stream" -logEveryPolicyHit ON -fileUploadTypesAction none

add appfw policy demo_appfw_policy "HTTP.REQ.HEADER(\"GW_VPN-WAF_Callout\").EXISTS" demo_appfw_profile

bind lb vserver dummy-vserver-here -policyName gw_appfw_policy -priority 100 -gotoPriorityExpression END -type REQUEST

Advanced Authentication Settings

There are two configurations related to authentication - encrypting user credentials from the client to the ADC within nFactor and IP reputation based MFA.

Encrypting User Credentials

The following setting enables the ADC to encrypt the credential set when the user submits the form data using ECDHE algorithms. To enable this setting, navigate to Citrix Gateway > Global Settings > Authentication Settings > Change Authentication AAA settings and set Login Encryption to ENABLED.

Authentication Login Encryption

Alternatively, this can be done from the CLI as follows:


set aaa parameter -loginEncryption ENABLED

IP Reputation Based MFA

IP Reputation can be built into the advanced authentication flow to prompt the user for an additional factor if the source address is flagged in the IP Reputation database. A manually maintained dataset of addresses will also be created.

Important:

The following configuration example uses CAPTCHA as a means to provide another factor of authentication, but any other MFA tool can be used. As with all nFactor configurations, the policies, schemas, and policy labels shown here are simple examples - additional configuration can be added to meet any specific login use case.

See the references section for additional details on configuring TOTP PUSH as a factor and additional CAPTCHA configurations.

A data set need to be created by going to AppExpert > Data Sets and selecting ‘Add’. Create a data set with a descriptive name, a type of ‘ipv4’ and click ‘Create’.

Malicious IP Data Set

Next, two advanced authentication policies need to be created by going to Security > AAA - Application Traffic > Policies > Authentication > Advanced Policies > Policy and select ‘Add’.

Create the first policy with a descriptive name, an action type of NO_AUTHN and the expression set to ‘true’.

Advanced Policy Good IP

Create the second policy with a descriptive name, action type of NO_AUTHN and expression as follows:


CLIENT.IP.SRC.IPREP_IS_MALICIOUS || CLIENT.IP.SRC.TYPECAST_TEXT_T.CONTAINS_ANY("suspicious_ips")

Note:

The name of the previously created data set is used here.

Next, a CAPTCHA login schema profile is created by going to Security > AAA - Application Traffic > Login Schema > Profiles Tab and selecting ‘Add’. Give the profile a descriptive name then edit the Authentication Schema by selecting the ‘pencil’ edit icon. Browse to the LoginSchema directory, highlight SingleAuthCaptcha.xml and choose Select.

Captcha Login Schema

Next, create an authentication policy label for the Captcha schema by going to Security > AAA - Application Traffic > Policies > Authentication > Advanced Policies > Policy Label and selecting ‘Add’. Give the PL a descriptive name and select the previously created captcha login schema. Bind the required LDAP action policy.

Note:

This example is re-using a previously created LDAP authentication action.

Captcha Policy Label

Create another policy label by selecting ‘Add’. Give this PL a descriptive name, and set the login schema to LSCHEMA_INT. Next, bind the two previously created NO_AUTHN authentication policies.

IP Check Policy Label

Last, this IP Reputation check policy label needs to be set as the next factor of the previously created authentication policy that is already bound to an authentication or Gateway virtual server. Highlight the authentication policy, select ‘edit binding’ then set the new policy label as the ‘Select Next Factor’ field.

Final Authentication Policy

Summary

Citrix ADC provides many built-in security protections that can be applied to protect Gateway or Authentication virtual servers running on the same appliance. These protections have no impact on typical users as they try to log in to Citrix Gateway.

References

For additional information and configuration options, refer to the following articles:

CTX216091 - supporting re-Captcha with nFactor

Citrix Web Application Firewall PoC Guide – proof of concept deployment guide for Citrix Web Application Firewall

nFactor for Citrix Gateway with Push Token - proof of concept deployment guide for TOTP push tokens for Citrix Gateway

PoC Guide: Protecting Gateway Virtual Servers with WAF, Bot, and Advanced Authentication Policies