Jump to content
Welcome to our new Citrix community!

Content Switch - DTLS?


Recommended Posts

Hey everyone,

 

I'm implementing some netscaler VPX appliances in our environment, with a netscaler gateway for xenapp behind a content switch.

 

I want to support realtime audio and EDT, they both use UDP/DTLS.

 

Does DTLS work when the gateway is accessed via a content switch?  anyone running this configuration?  the content switch type is SSL, not sure if i need to configure it as a different type.

 

it seems like it's working when i access the gateway directly from the internal network, but not through the content switch.  so I'm not sure if this is just an unsupported configuration, or if the firewall just isn't allowing the udp traffic. (a different group handles the firewall, so I can't directly investigate)

 

Thanks!

Link to comment
Share on other sites

well, that table says it's supported, but I can't get it to work.  anyone else configured like this and confirmed they're getting dtls connections established?

 

dtls is working when going directly to the gateway, but not through the content switch/unified gateway.  it just connects using tcp.  i tried it on some internal ip addresses to make sure it wasn't the firewall tripping me up.

Link to comment
Share on other sites

  • 6 months later...

SNI was not supported with DTLS, but its now:

 

https://www.citrix.com/downloads/citrix-adc/firmware/release-121-build-4923.html

 

“Support for SNI on a DTLS virtual server

SNI (Server Name Indication) is now supported on a DTLS virtual server (frontend) on Citrix ADC MPX and VPX appliances. You can bind multiple SNI certificates to a DTLS virtual server.

For more information, see

https://docs.citrix.com/en-us/netscaler/12-1/ssl/support-for-dtls-protocol.html.

[# 709345, 363547]”

  • Like 1
Link to comment
Share on other sites

  • 4 weeks later...
  • 2 months later...
  • 1 year later...

We have it working on the current release of 13.x

 

Make sure both your Content Switch VIP and Gateway VIP have DTLS enabled, earlier releases did not have this option at the Content Switch VIP.  

I've also had luck by disabling/re-enabling DTLS on the Content Switch VIP and/or unbind/rebind certificate.

**Note:  Don't forget to enable "Hello Verify Request" and "Terminate Session" in your DTLS profile to mitigate UDP amplification attacks**

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...