Jump to content
Welcome to our new Citrix community!

default SSL profile


Roshan Maharaj

Recommended Posts

Hi,

 

I am planning a Netscaler upgrade from a 10.5 build to the latest 11.1 59.10 build. I understand that the SSL profile aspect is new and different in these 11 versions. I don't have a default SSL profile enabled in 10.5.

So in 11.1, do I "need" to enable the default SSL profile or just leave it disabled as it was in 10.5 and manage the SSL VIPs separately as I did with 10.5? I do know the advantages of having the SSL profile, but still prefer to manage the SSL VIPS the same way as in 10.5 if possible. Hence the question.

 

thanks.

Link to comment
Share on other sites

The default ssl profile is a separate setup.  You can use profiles without having the default profile requirement.  

Short answer: you can upgrade without enabling the default ssl profile feature; you can use ssl profiles per vserver to configure ssl settings, or you can continue using ssl parameters on the vserver, but you should start using profiles (for more options/control).

 

Longer answer:

When you update from 10.5 to 11, you can continue managing SSL setting by a) adjust ssl parameters per vserver (but this is not recommended) or b) creating an ssl profile for your settings and assigning that per vserver (preferred).  You will still assign ssl profiles per vserver on a case-by-case basis.  A default profile is not yet in use.

 

If a default ssl profile is not enabled, then basically:

Any vserver with no ssl profile assigned, will fall back to the vserver ssl parameters.  If no parameters assigned, then the global ssl parameters are used.

If an SSL profile is assigned to the vserver, then it will override any conflicts on that vservers SSL parameters.

 

You can then create ssl profiles to meet each of your needs.  Different ssl profiles can be used to easily manage settings and then you assign the specific ssl profiles where needed.

You can tune the profile per application if needed; or define settings once and reuse them by binding the same profile to multiple vservers.

 

---

If the default profile is enabled, then any new vserver you create will get the default profile setting automatically.  All your existing vservers/services will have the default profile assigned, if no current profile is present.  You either than change the settings in the default profile OR create an alternate profile and bind instead.   You would then override with a custom profile per vserver. 

 

The default profile is then used to establish a required/minimum security baseline if you don't explicitly bind a profile.  Just like default monitors - add your own to replace it; if no monitor bound, the default one is used.  Create an ssl service/vserver, if no profile specified, then the default profile is assigned with its settings.  If you then replace it with a specific profile later, your new profile is used.

 

The ns_default_ssl_profile_frontend will attach to all vservers with no existing profile; the ns_default_ssl_profile_backend will attache to all ssl services without an existing profile.

You can then adjust the default profile settings.

 

 

 

 

Link to comment
Share on other sites

  • 8 months later...

Also an important thing to note....

 

If defaultprofile is DISABLED, (set ssl param -defaultProfile DISABLED) you cannot adjust the ciphers used by the default front side or default backend profile.  This means lb monitors using ssl cannot have ecc curves bound.  Even though you can attach an ssl profile to the lb monitor object, you cannot change the cipher group.  It's definitely worth the pain to switch to profiles so you can have more flexibility and leverage all the tls features.

Link to comment
Share on other sites

  • 8 months later...
On 8/30/2018 at 12:05 AM, Rhonda Rowland1709152125 said:

The default ssl profile is a separate setup.  You can use profiles without having the default profile requirement.  

Short answer: you can upgrade without enabling the default ssl profile feature; you can use ssl profiles per vserver to configure ssl settings, or you can continue using ssl parameters on the vserver, but you should start using profiles (for more options/control).

 

Longer answer:

When you update from 10.5 to 11, you can continue managing SSL setting by a) adjust ssl parameters per vserver (but this is not recommended) or b) creating an ssl profile for your settings and assigning that per vserver (preferred).  You will still assign ssl profiles per vserver on a case-by-case basis.  A default profile is not yet in use.

 

If a default ssl profile is not enabled, then basically:

Any vserver with no ssl profile assigned, will fall back to the vserver ssl parameters.  If no parameters assigned, then the global ssl parameters are used.

If an SSL profile is assigned to the vserver, then it will override any conflicts on that vservers SSL parameters.

 

You can then create ssl profiles to meet each of your needs.  Different ssl profiles can be used to easily manage settings and then you assign the specific ssl profiles where needed.

You can tune the profile per application if needed; or define settings once and reuse them by binding the same profile to multiple vservers.

 

---

If the default profile is enabled, then any new vserver you create will get the default profile setting automatically.  All your existing vservers/services will have the default profile assigned, if no current profile is present.  You either than change the settings in the default profile OR create an alternate profile and bind instead.   You would then override with a custom profile per vserver. 

 

The default profile is then used to establish a required/minimum security baseline if you don't explicitly bind a profile.  Just like default monitors - add your own to replace it; if no monitor bound, the default one is used.  Create an ssl service/vserver, if no profile specified, then the default profile is assigned with its settings.  If you then replace it with a specific profile later, your new profile is used.

 

The ns_default_ssl_profile_frontend will attach to all vservers with no existing profile; the ns_default_ssl_profile_backend will attache to all ssl services without an existing profile.

You can then adjust the default profile settings.

 

 

 

 

 

Be careful guys, this part is not true.  If you activate the defaultProfile, it is going to override every single profile assigned to VIPs and services as well.  Be sure to backup and be ready to reapply your customs profiles.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...