Configure the NetScaler Gateway vServer and SSL Certificate
The shared FQDN resolves either to an external firewall router interface IP or NetScaler Gateway vServer IP in the DMZ when external clients try to access resources from outside of the corporate network. Ensure the Common Name and Subject Alternative Name fields of the SSL certificate contain the shared FQDN to be used to access the store externally. By using a third party root CA such as Verisign instead of an enterprise Certification Authority (CA) to sign the gateway certificate, any external client automatically trusts the certificate bound to the gateway vServer. If you use a third party root CA such as Verisign, no additional root CA certificates need to be imported on to external clients.
To deploy a single certificate with the Common Name of the shared FQDN to both the NetScaler Gateway and the StoreFront server, consider whether you want to support remote discovery. If so, make sure the certificate follows the specification for the Subject Alternative Names.
NetScaler Gateway vServer example certificate: storefront.example.com
- Ensure that the shared FQDN, the callback URL, and the accounts alias URL are included in the DNS field as Subject Alternative Name (SANs).
- Ensure that the private key is exportable so the certificate and key can be imported into the NetScaler Gateway.
- Ensure that Default Authorization is set to Allow.
Sign the certificate using a third party CA such as Verisign or an enterprise root CA for your organization.
Two-node server group example SANs:
Sign the Netscaler Gateway vServer SSL certificate using a Certification Authority (CA)
Based on your requirements, you have two options for choosing the type of CA signed certificate.
- Option 1 — Third Party CA signed certificate: If the certificate bound to the Netscaler Gateway vServer is signed by a trusted third party, external clients will likely NOT need any root CA certificates copied to the their trusted root CA certificate stores. Windows clients ship with the root CA certificates of the most common signing agencies. Examples of commercial third party CAs that could be used include DigiCert, Thawte, and Verisign. Note that mobile devices such as iPads, iPhones, and Android tablets and phones might still require the root CA to be copied onto the device to trust the NetScaler Gateway vServer.
Option 2 — Enterprise Root CA signed certificate: If you choose this option, every external client requires the enterprise root CA certificate copied to their trusted root CA stores. If using portable devices with native Receiver installed, such as iPhones and iPads, create a security profile on these devices.
Import the root certificate into portable devices
- iOS devices can import .CER x.509 certificate files using email attachments, because accessing the local storage of iOS devices is usually not possible.
- Android devices require the same .CER x.509 format. The certificate can be imported from the device local storage or email attachments.
External DNS: storefront.example.com
Ensure that the DNS resolution provided by your organization’s Internet service provider resolves to the externally facing IP of the firewall router on the outside edge of DMZ or to the NetScaler Gateway vServer VIP.
Split view DNS
- When split-view DNS is correctly configured, the source address of the DNS request should send the client to the correct DNS A record.
- When clients roam between public and corporate networks, their IP should change. Depending on the network to which they are currently connected, they should receive the correct A record when they query storefront.example.com.
Import certificates issued from a Windows CA to NetScaler Gateway
WinSCP is a useful and free third party tool to move files from a Windows machine to a NetScaler Gateway file system. Copy certificates for import to the /nsconfig/ssl/ folder within the NetScaler Gateway file system. You can use the OpenSSL tools on the NetScaler Gateway to extract the certificate and key from a PKCS12/PFX file to create two separate .CER and .KEY X.509 files in PEM format that can be used by the NetScaler Gateway
- Copy the PFX file into /nsconfig/ssl on the NetScaler Gateway appliance or VPX.
- Open the NetScaler Gateway command line interface.
- To switch to the FreeBSD shell, type Shell to exit the NetScaler Gateway command line interface.
- To change directory, use cd /nsconfig/ssl.
- Run openssl pkcs12 -in <imported cert file>.pfx -nokeys -out <certfilename>.cer and enter the PFX password when prompted.
- Run openssl pkcs12 -in <imported cert file>.pfx -nocerts -out <keyfilename>.key
- Enter the PFX password when prompted and then set a private key PEM passphrase to protect the .KEY file.
- To ensure that the .CER and .KEY files were successfully created inside /nsconfig/ssl/, run ls –al.
- To return to the NetScaler Gateway command line interface, type Exit.