Proof of Concept Guide: URL Redirection to Secure Browser with Citrix ADC in Azure

Overview

Here are the configuration steps for setting up an ADC, configuring SSL Forward Proxy, and SSL Interception using the latest Citrix ADC marketplace template. The URL Redirection to Secure Browser capability of the ADC enables administrators to define specific website categories to be redirected from the local browser to Secure Browser automatically. The Citrix ADC acts as an intermediate proxy to do the interception between local browsing and the internet, thus achieving web isolation and protecting the corporate network. This capability increases security without compromising user experience.

Conceptual Architecture

URL redirection to Secure Browser Service Architecture

Scope

This proof-of-concept guide describes the following:

  1. Obtain Secure Browser Trial Account
  2. Set up ADC in Azure
  3. Set up Citrix ADC appliance as proxy
  4. Set up SSL Interception
  5. Set up Rewrite Policy and Actions

Deployment Steps

Section 1: Obtain Secure Browser Trial Account

Reference doc for Secure Browser Service

Request a Secure Browser trial

  1. Navigate to your Citrix Cloud account and enter user name and password

  2. Click Sign In. If your account manages more than one customer select the appropriate one

    Log in to Citrix Cloud

  3. Double-click the Secure Browser Tile.

    Secure Browser Tile

  4. If you know who your account team is, then reach out to them to get the trial approved. If you are unsure who your account team is, then continue to the next step.

  5. Click Request a Call

    Request a Call

  6. Enter your details and in the Comments section specify “Secure Browser service trial.”

  7. Click Submit.

    Request a Call form

    Note:

    Citrix Sales will contact you to give you access to the service. This is not immediate, a Citrix sales rep will reach out

  8. Once you have the Secure Browser trial approved, refer to the Publish a Secure Browser section of the Citrix Doc to publish a Secure Browser app.

Enable URL Parameters

  1. In your Citrix Cloud subscription, double-click the Secure Browser tile

  2. On your published browser, called “browser” in this example, click the three dots and select Policies

    published browser app

  3. Enable URL Parameters policy on your published browser

    URL Parameters policy enable

Section 2: Set up ADC in Azure

The ADC can be set up in any cloud of choice. In this example Azure is our Cloud of choice.

Configure an ADC instance

  1. Navigate to All Resources and click + Add button, search for Citrix ADC

  2. Select Citrix ADC template

  3. Select the software plan according to your requirements (in this example Bring Your Own License)

  4. Click Create

    Set up ADC in Azure

Configure NIC Card

  1. Navigate to All Resources and select the NIC card for the ADC instance

  2. Select IP Configurations, make a note of the ADC management address

  3. Enable IP Forwarding Settings, save the changes.

    Configure NIC for ADC

Configure Virtual IP

  1. Click Add, set virtualip as the name of the new config

  2. Select Static and add new IP address after the management address

  3. Enable Public address option and create a new public IP address

  4. Save the changes

    Configure Virtual IP

Set up the FQDN on the client

  1. Navigate to the Public IP address resource created for the virtualip configuration

  2. Click Configuration, and add a DNS label (in this example, urlredirection.eastus.cloudapp.azure.com)

    Set FQDN

Set up Networking rules

  1. Add the following Networking rules

    Networking rules

    Note:

    You may choose to close the ports 22 and 443 after the configuration is done, as those ports are only needed for logging into management console for configuration purposes.

  2. At this point the ADC instance in Azure is set up

Section 3: Set up Citrix ADC appliance as proxy

Set up the ADC as a proxy to route the traffic from the client browser to the Internet.

Log in to ADC management console

  1. Navigate to the Citrix ADC management console by inputting the instance’s public IP address in the search bar of your browser

    Note:

    Use the IP address of the machine you provisioned in the previous steps, in this example https://40.88.150.164/

  2. Log in to the console by inputting the user name and password you set up in the previous steps

    Log in to management console

  3. From the initial configuration screen, click Continue

Upload the licenses

  1. Navigate to System > Licenses > Manage Licenses

  2. Upload the necessary licenses for ADC.

    Note:

    The licenses you bring must support the features highlighted in the steps 11 and 13 under Configure Basic Features and Configure Advanced Features (e.g CNS_V3000_SERVER_PLT_Retail.lic, and CNS_WEBF_SSERVER_Retail.lic)

    Manage licenses

  3. Reboot the server after uploading both licenses.

  4. After reboot, log in to the management again

  5. Navigate to System > Settings > Configure Modes

  6. Only two options must be enabled Mac based forwarding and Path MTU Discovery

    Configure Modes

    Configure Modes

  7. Navigate to System > Settings > Configure Basic Features

    Configure Basic Features

  8. Select: SSL Offloading, Load Balancing, Rewrite, Authentication, Authorization, and Auditing, Content Switching, and Integrated Caching

    Configure Basic Features

  9. Navigate to System > Settings > Configure Advanced Features

    Configure Advanced Features

  10. Select: Cache Redirection, IPv6 Protocol Translation, AppFlow, Reputation, Forward Proxy, Content Inspection, Responder, URL Filtering, and SSL Interception

    Configure Advanced Features

Set up the NTP Server

  1. Navigate to System > NTP Servers > Add

    Set up NTP Server

  2. Create a server for example pool.ntp.org

    Set up NTP Server

  3. Enable NTP when prompted and set server to enabled

    Set up NTP Serve

  4. Save the Configuration from the management portal save action

    Save configuration

  5. Open SSH Session to ADC management address, log in with credentials you used while provisioning the ADC from Azure

Set up TCP Profile and vServer

  1. Get the virtualip from the steps in Section 2 and input in the command (in this example 10.1.0.5)

  2. Run the following commands with the sslproxy address for example, virtualip:

  3. To add TCP profile:

    add ns tcpProfile proxy-tcpprofile01 -dynamicReceiveBuffering ENABLED -KA ENABLED -mptcp ENABLED -mptcpDropDataOnPreEstSF ENABLED -mptcpSessionTimeout 360 -builtin MODIFIABLE
    
  4. To add virtual server

    add cs vserver sslproxy01 PROXY 10.1.0.5 8080 -cltTimeout 360 -tcpProfileName proxy-tcpprofile01 -persistenceType NONE
    
    bind cs vserver sslproxy01 -lbvserver azurelbdnsvserver
    
    add netProfile proxy-netprofile01 -srcIP 10.1.0.5 -srcippersistency ENABLED -MBF ENABLED -proxyProtocol ENABLED -proxyProtocoltxversion V2
    
    set cs vserver sslproxy01 -netProfile proxy-netprofile01
    
    set ssl vserver sslproxy01 -sslProfile ns_default_ssl_profile_frontend
    
    save ns config
    
  5. To change the Cache settings go back to management session on browser

  6. Navigate to Optimization > Integrated Caching

  7. Navigate to Settings > Change cache settings

    Change Cache settings

  8. Set Memory Usage Limit to 250 MB and click OK

    Memory usage limit

Set up the client for URL Redirection

  1. On a client, for example Firefox

  2. Configure your browser proxy to virtualip, Public IP, or FQDN: 8080 that you configured in Section 2 (for example, urlredirection.eastus.cloudapp.azure.com:8080)

    Configure Browser proxy

  3. Now that we have an ADC set up, test for any website connectivity from the browser with the ADC acting as a proxy.

Section 4: Set up SSL Interception

SSL interception uses a policy that specifies which traffic to intercept, block, or allow. Citrix recommends that you configure one generic policy to intercept traffic and more specific policies to bypass some traffic.

References:

SSL Interception

URL categories

Video example of configuration

Create an RSA Key

  1. Navigate to Traffic management > SSL > SSL Files > Keys

  2. Select Create RSA Key

    Create RSA Key

  3. Select the key file name and required key size

    Create RSA Key

  4. Once the key is created, download the .key file for later use

    Create RSA Key

Create a Certificate Signing Request (CSR)

  1. Navigate to Traffic management > SSL > SSL Files > CSRs > Create Certificate Signing Request (CSR)

    CSR

  2. Name the request file, for example semesec_req1.req

    CSR creation

  3. Click Key Filename > Appliace the key file name is the one created in the previous step, in this example smesec_key1.key

    CSR creation

  4. After selecting the Key continue to fill in the blanks required: Common Name, Organization Name, and State or Province

  5. Click Create

Create a Certificate

  1. Navigate to Traffic management > SSL > SSL Files > Certificates > Create Certificate

    Create certificate

  2. Give the certificate a name and choose both the Certificate Request File (.req) and the Key File name (.key) created in the previous steps

    Create Certificate

  3. Click Create

  4. Once the certificate is created, download the .cert file for later use

    Create Certificate

Create SSL INTERCEPT policy

  1. Navigate to Traffic management > SSL > Policies

  2. Click Add

    Create SSL Policy

  3. Give the policy a name and select the INTERCEPT action

  4. Expression to intercept news:

    client.ssl.detected_domain.url_categorize(0,0).category.eq("News")

  5. Click Create

    Create SSL Intercept

  6. To bind the Intercept policy to the virtual server navigate to Security > SSL Forward Proxy > Proxy Virtual Servers

    SSL proxy01

  7. Select the virtual server, in this example sslproxy01

  8. Select add SSL Policies and click No SSL Policy Binding

  9. Bind the intercept policy:

    Bind Intercept policy

Create SSL BYPASS policy

  1. Navigate to Traffic management > SSL > Policies

  2. Click Add

    Create SSL Policy

  3. Give the policy a name and select the NOOP action - there is no BYPASS option, see next step

  4. Expression to bypass policy: CLIENT.SSL.DETECTED_DOMAIN.CONTAINS("cloud")

    Create bypass policy

  5. Navigate to Security > SSL Forward Proxy > SSL Interception Policies

    SSL bypass policy

  6. Select the policy to edit it

  7. Change Action from NOOP to BYPASS

  8. Click OK

    SSL bypass policy

  9. Double check that the Action is now BYPASS

  10. Go back to Traffic management > SSL > Policies to double check the change

    Bypass policy

  11. To bind the Bypass policy to the virtual server navigate to Security > SSL Forward Proxy > Proxy Virtual Servers

    SSL proxy01

  12. Double-click the virtual server, in this example sslproxy01

  13. Select add SSL Policies and click SSL Policy Binding

  14. Bind the bypass policy > Add

    Step 5.7

  15. Click Bind

    Step 5.8

    Note:

    This policy is created to bypass the ADC interception for traffic going to secure browser launch.cloud.com

Create SSL Profile

  1. Navigate to System > Profiles > SSL Profile > Add

    Step 6.1

  2. Create the profile by giving it a name, in this example smesec_swg_sslprofile

    SSL profile name

  3. Check the box to enable SSL Sessions Interception, then click OK

    Step 6.3

  4. Click OK to create SSL Profile

  5. Must install the cert-key pair

  6. Make sure you have a .pfx format of the cert-key pair before. See the following step for guidance on how to generate a .pfx file from the .cert and .key files that you previously downloaded.

Prepare cert-key pair

  1. Start by installing the SSL tool

  2. Add the openssl installation path to the system environment variables

    Path of SSL install

  3. From PowerShell, run the command:

    openssl pkcs12 -export -out smesec_cert1.pfx -inkey smesec.key1.key -in smesec.cert1.cert

    PowerShell screenshot

Bind an SSL Interception CA Certificate to the SSL Profile

  1. Navigate to System > Profiles > SSL Profile

  2. Select the profile created previously

  3. Click + Certificate Key

  4. Click Install

  5. Choose the .pfx file prepared previously

  6. Create a password (you need it later)

  7. Click Install

    Step 8

Bind the SSL Profile to the virtual server

  1. Navigate to Security > SSL Forward Proxy > Proxy Virtual Servers

    SSL proxy01

  2. Select the virtual server, in this example sslproxy01

  3. Click to edit SSL Profile

    Edit SSL profile

  4. Choose the SSL profile created in previously, in this example smesec_swg_sslprofile

  5. Done

Section 5: Set up Rewrite Policies and Actions

A rewrite policy consists of a rule and action. The rule determines the traffic on which rewrite is applied and the action determines the action to be taken by the Citrix ADC. The rewrite policy is necessary for URL redirection to happen to Secure Browser based on the category of the URL entered in the browser, in this example “News”.

Reference

Create rewrite policy and action

  1. Navigate to AppExpert > Rewrite > Policy

  2. Click Add

    Create rewrite policy

  3. Create the policy by naming it, cloud_pol in this example and use the expression: HTTP.REQ.HOSTNAME.APPEND(HTTP.REQ.URL).URL_CATEGORIZE(0,0).CATEGORY.EQ("News")

  4. Click create

    Create rewrite policy

  5. Create the Action in PuTTy

  6. Run the following command:

    add rewrite action cloud_act REPLACE_HTTP_RES q{"HTTP/1.1 302 Found" + "\r\n" + "Location: https://launch.cloud.com/<customername>/<appname>?url=https://" + HTTP.REQ.HOSTNAME.APPEND(HTTP.REQ.URL.PATH) + "\r\n\r\n\" "}

    Note:

    In the command replace <customername> with your Citrix Cloud customer account name and replace <appname> with the Secure Browser published app name for which the URL parameters policy is enabled. Referring to the published app you created in Section 1.

Bind rewrite policy to virtual server

  1. Back to the ADC management console

  2. Navigate to AppExpert > Rewrite > Policy

  3. Go to the policy cloud_pol and change the action to cloud_act (the one created previously)

    cloud_act Action

  4. To choose the type of the rewrite policy navigate to Security > SSL Forward Proxy > Proxy Virtual Servers

  5. Select “+ Policies”

  6. Policy: Rewrite

  7. Type: Response

    Step 11.2

  8. Select the policy created, in this example cloud_pol

  9. Priority: 10

  10. Bind

    Step 11.3

  11. Click done

  12. Save configuration

Bind Certificate key to Profile

  1. Navigate to System > Profiles > SSL Profile

  2. Select the profile created, for example smesec_swg_sslprofile

  3. Double-click + Certificate Key

    Step 12.2

  4. Select the certificate key, for example smesec_cert_overall

    Step 12.3

  5. Click Select
  6. Click Bind
  7. Click Done
  8. Save configuration

Import the certificate file to the browser

  1. Upload the certificate into firefox (per our example with News category websites)

  2. Go to Options in your browser of choice, Firefox in this example

  3. Search “certs” > click “View Certificates”

    Step 13.1

  4. In the Certificate Manager window click “Import…”

    Step 13.2

  5. Browse for your cert and click open, smesec_cert1.cert in this example

    Step 13.3

  6. Input the password you created when making the certificate

  7. Your certificate authority must be installed properly

    Step 13.4

Demo

News websites from the local browser are redirected to Secure Browser automatically. See the following demo

Summary

In this PoC guide, you have learned how to set up Citrix ADC in Azure and Configure SSL Forward Proxy and SSL Interception. This integration allows the dynamic delivery of resources by redirecting browsing to Secure Browser service. Thus, protecting the company network without sacrificing user experience.

Proof of Concept Guide: URL Redirection to Secure Browser with Citrix ADC in Azure