Jump to content
Welcome to our new Citrix community!

netscaler OCSP stapling responder behind a proxy

Recommended Posts

For a customer of mine we have a Netscaler VPX deployed between the Office automation Network and a highly secured TPA network. This Netscaler Delivers several services from the TPA network like XenDesktop, RDP proxy and several HTTPS Web and SOAP services. As some services are also used by external suppliers (connected via VPN to the office Network) we need to use certificates from a generally trusted public Certificate Authority. As these same services are also used by machines on the Office Network without Internet Connection we like to use OCSP stapling on the Netscaler to present Certificate status information to those clients.

The issue is that the Netscaler can only access the Internet and thus the OCSP server of the Certificate authority through a Proxy server.

Is there any way to tell the OCSP responder on the Netscaler to get the OCSP status information via a Proxy server?

Link to comment
Share on other sites

On 3/14/2019 at 11:28 PM, Richard Spoorenberg said:

Is there any way to tell the OCSP responder on the Netscaler to get the OCSP status information via a Proxy server?


There is no out of the box way to do that, but you can route the request via an LB having the proxy server as service + a rewrite policy to change the requests so proxy server accepts them. And finally a manually configured address record for the OCSP fqdn pointing to the LB, here is the sample config.


#Create a Service for Proxy IP
add service proxyserver HTTP 8080


#Create the Rewrite Action and Policy
add rewrite action changereqtoproxy_act replace http.REQ.URL.PATH_AND_QUERY "\"http://\"+http.REQ.HOSTNAME+\"/\" + http.REQ.URL.PATH_AND_QUERY.AFTER_STR(\"/\")"
add rewrite policy changereqtoproxy_pol True changereqtoproxy_act


#Create an LB VIP and bind service and rewrite policy, it does not have to be reachable on the network
add lb vserver proxy_LB HTTP 80
bind lb vserver proxy_LB proxyserver
bind lb vserver proxy_LB -policyName changereqtoproxy_pol -priority 100 -gotoPriorityExpression END -type REQUEST


#create the OCSP responder and bind with CA
add ssl ocspResponder lab_ocsp_rsp -url "http://adca.lab.com/ocsp" -cache ENABLED -batchingDelay 1 -useNonce NO -insertClientCert YES
bind ssl certKey labCA -ocspResponder lab_ocsp_rsp -priority 5


#create an address record for the OCSP responder pointing to the LB
add dns addRec adca.lab.com 

Link to comment
Share on other sites

  • 2 weeks later...


This topic is now archived and is closed to further replies.

  • Create New...