Jump to content
Welcome to our new Citrix community!

Single backend server ip to directly terminate SSL sessions

Matthew Best

Recommended Posts



I run Netscaler VPX 12.0 Build 63.13.nc.


I'm setting up a new config:


1.   My backend server is a 2-node HA cluster running HTTPS only.  So all I really need the Netscaler for is to be a reverse-proxy.  All port 443 HTTPS traffic destined to the Netscaler vserver will be forwarded to the backend server cluster-vip.  I set this up as a "lb vserver" and then a single service pointing to the cluster-vip.   This "works", but is it the proper way to do this sort of thing?  


2.  I want SSL sessions to terminate directly on the backend cluster-vip.  So I DO NOT want to do SSL-offloading with the Netscaler.   In my lab I set it up as such and it seems to be working:


add lb vserver lb_test.example.com TCP 443

add service service_test.example.com test-vip TCP 443


Is this the "proper" way of doing what I need or is there  a better way to tell the Netscaler not to do SSL-offloading?



Link to comment
Share on other sites

What you need is an ssl_bridge vserver and service; ssl bridge has the netscaler pass SSL traffic but without doing ssl termination.  Though you have no ability to do header insertions (to pass client ips through) in this case.  SSL_BRIDGE would be better than TCP in this case as the adc knows the traffic is encrypted and that the adc is not terminating the traffic.


You were mostly right, if you don't want the ADC doing the load balancing at all:

# define your backend destination (your ha lb vip on backend), then the lb vserver ssl_bridge; then bind.

# adjust naming convention as needed.

add service svc_testlb <backend ha VIP> ssl_bridge 443

add lb vserver lb_vsrv_testlb_proxy  ssl_bridge <VIP on ADC> 443

bind lb vserver lb_vsrv_testlb_proxy svc_testlb


No cert needed; does not do ssl offload. Feature set is limited for ssl_bridge.  Traffic terminates on destination and the backend destination will do your load balancing.  Be sure cert on backend is trusted by users who connect via the public fqdn that connects to the lb vserver on adc.



  • Like 2
Link to comment
Share on other sites

Fantastic.  Thanks so much Rhonda.


I can envision being asked about passing CIP through, so in that case what kind of options do I have?   Could I instead do some custom tcp logging on the Netscaler and send that to a syslog?  All I really want is to be able to log client ip connections to this vserver.  


I found this and I think it would be helpful:  https://support.citrix.com/article/CTX226058

Link to comment
Share on other sites

If you want to do header insertion, you have to decrypt the packet to do an insertion.    That is a limitation of ssl_bridge (making your traffic TCP:443 won't help you as it is still encrypted).


I don't even think NSWL (NetScaler Web Logging) is going to work with SSL_BRIDGE .  But someone else may have a different opinion.  I also don't think USIP mode is in your best interest without understanding your traffic.  So, TCP logging via a custom audit policy on this vserver might give you the info you want in the only way possible with ssl_bridge; I wouldn't want to turn it on globally for all traffic.



  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...