Jump to content
Welcome to our new Citrix community!
  • NetScaler Enhanced SSL Profiles for easier configuration and tighter security

    Subhojit Goswami
    • Validation Status: Validated
      Has Video?: No

    Authors: Vaibhav Khare, Satyam Mehrotra


    Security is always a top priority for any business. Central to this for internet-facing applications is ensuring that the data is not intercepted, viewed or changed by unauthorized users. To protect this sensitive data from compromise, cryptographically secure encryption is critical for all applications.


    Cryptographic processes like SSL/TLS come at a price. The CPU load on servers to process encryption and decryption is severe and can impact the performance of the backend server and hence the application itself.


    As a pioneer in the Application Delivery Controller (ADC) market, NetScaler was the first ADC to introduce integrated SSL offload in 2002. This relieved much of the hard graft of SSL processing for businesses and lowered the TCO. Further benefits of SSL offloading extended beyond direct cost. Access to the higher layers meant encrypted traffic could be inspected and secured, as well as directed more intelligently. Moreover, centralizing the SSL made for much less complex certificate management.


    SSL Challenges

    SSL is not without challenges. Over time vulnerabilities in the SSL protocol have been discovered and exploited (e.g. POODLE), and advances in computing power have rendered low strength ciphers insecure and vulnerable to attack. Similarly, older SSL versions lack support for modern security features like Perfect Forward Secrecy (PFS), which provides increased protection against eavesdropping and decryption of past communication even if the private key is compromised. 


    While it is important to configure all the SSL elements to suit a particular environment for maximum security, this can be a manual and time-consuming process. More than this, it is error-prone, which can lead to security gaps and exposure of sensitive data. 


    Enhanced SSL profiles to ensure consistent configuration

    To solve this problem, NetScaler introduced SSL profiles. SSL profiles are a single point of configuration that can bind SSL configuration specifications to an entity. The ability to group parameters like SSL protocol versions, client/server authentication parameters, Diffie-Hellman parameters as well as cryptographic settings for ciphers and ECC curves and more, make SSL configuration simpler. 



    SSL profiles improve the time to protection and reduce configuration workload. More than this, however, it makes it easy to ensure consistent configuration and compliance with corporate security policies and industry regulation while dramatically minimizing SSL errors, which reduces the risk of security gaps.


    Enhanced SSL Profiles can be enabled from GUI (Figure 1) or via the following command:

    Set ssl parameter -defaultProfile ENABLED



    Figure 1: Enable Enhanced SSL profiles under Traffic Management > SSL > Advanced SSL Settings (NOTE: Once enabled, the only way to disable is to clear the NetScaler config)

    Types of SSL profiles

    There are two types of SSL profiles. Frontend profiles are bound to internet/client-facing entities, while backend profiles define the settings for entities that interact with the application server resources.


    While similar in content, some parameters are only applicable to certain environments. For example, frontend profiles have settings for client authentication and backend profiles have settings for server authentication. Similarly, the different profiles have different default cipher groups included – although it is possible to change these to be the same. Overall, there are more configurable elements in a frontend profile than in the backend profile (see Figure 2 and Figure 3 for a comparison)


    Figure 2: Parameter settings for default frontend SSL profile


    > sh SSI profile  i) (Back-End)  SSLv3: DISABLED TLSv1.e: EUBLEO TLSV1.r: ENABLED  Sen•er Auth: DISABLED  Use only CA certificates: DISABLED  TLSV1.2: ENA  Strict CA checks:  Sessim Reuse: ENABLED  DISABLED  RSA: DISABLED  Deny SSI Renegotiation  FIPS Ciphers: DISABLED  Cipher Redirect: DISABLED  SSL Redirect: DISABLED  Send Close&tify: YES  Tieout: 3øe secmds  Strict Sig-Digest Check: DISABLED  push Encryptim Trigger: Al.ays  PUSH encrypt W' triner  SKI: DISABLED  ocsp stapung: DISABLED  Strict Header check for SNI enØted SSI sessims:  Push flag:  øXØ (Auto)  SSL qLnnt• size:  Encryption trigger ti•ut  Encryption trigger packet count:  ms  4S

    Figure 3: Parameter setting for default backend SSL profile


    NetScaler includes a number of default profiles, which contain settings that are suitable for most scenarios. While these default settings are configured with the most secure SSL protocols and cryptographic settings and can be used as they are, all are fully customizable and can be tailored to suit customer-specific environments and security policies. 


    It is, however, not possible to delete or rename the default profiles, but NetScaler provides users with the flexibility to create their own SSL profiles, give them meaningful names that fit with their corporate policies and apply them to the SSL end points as required (Figure 4).



    Figure 4: User defined SSL Profiles can be bound to different virtual servers as required

    Advantages of SSL Profiles

    The biggest advantage of using SSL profiles is that they can be bound to multiple SSL endpoint entities on demand. Configuring SSL parameters for every individual entity is a tedious, manual task, that is prone to error. SSL profiles are simple to use (Figure 5) and remove many of the repetitive steps. Attaching a profile to an SSL end-point can be done from the NetScaler GUI or using the CLI command: 

    set ssl vserver <name> -sslprofile <name of ssl profile>



    Figure 5: Binding an SSL profile to an SSL End point is quick, easy and error-free from the GUI Traffic Management > Load Balancing > Virtual Servers

    Figure 6 shows how much easier it is to configure SSL settings on end-points with SSL profiles. Instead of 4 individual config changes, the admin only needs to configure the profile once and then bind it to each entity to which those settings apply. Once bound, any update to the profile – changing to stronger ciphers, for example – is propagated to each entity automatically.



    Figure 6: Configuring with profiles is much quicker, simpler and less prone to error


    Best Practices for SSL 

    NetScaler strongly recommends the use of Enhanced SSL profiles as a best practice for all SSL configuration. These profiles contain the full suite of SSL parameters required to make your applications secure and protect your data. They are simpler to use and far less likely to leave security gaps in your infrastructure caused by errors. 


    Most new SSL functionality on NetScaler will only be accessible via enhanced SSL profiles. For example, the only way to implement TLS v1.3 is to enable enhanced SSL Profiles. 


    To make it easier for existing customers with legacy configs, NetScaler has created a tool  to aid migration to enhanced SSL profiles. This tool will scan the config file and automatically generate the correct commands to run to update the configuration to use enhanced SSL profiles. Customers can take advantage of the tighter security features in minutes.


    While there should never be shortcuts with security, SSL profiles are an excellent way to both reduce potentially damaging errors and automate configuration. We envision a day when all configuration is this simple and secure.

    For more information on the SSL profile infrastructure, please visit the eDocs.

    User Feedback

    Recommended Comments

    There are no comments to display.

    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now

  • Create New...