Jump to content
Welcome to our new Citrix community!

ADC functioning as a TLS/SQL proxy


Chris Gundry

Recommended Posts

Hi all

 

We are working to disable TLS 1.0/1.1 as a client protocol on our networks, but unfortunately we have several legacy 2003 systems which are running a few apps which we cannot migrate/replace for the foreseeable future, despite best efforts. Given that 2003 does not support TLS 1.2 this leaves us with an issue as a decent portion of our clients will still need access to the 2003 systems.

 

My thinking is that we use the ADC as a proxy, allowing only TLS 1.2 from the client to the ADC, then the ADC connects to the back end app server using TLS1.0/1.1. On the back end app server we restrict the FW to only allow connections from the ADC. This seems like a good short term solution until we can finally migrate away from these legacy systems. I have tried to set this up, but it is not working and I cannot work out why. It is just a simple IIS page on HTTPS, so not sure why it isn't working. We have another NS LB VS that is doing the same thing with 2012 R2 IIS servers, although the VS and IIS are both TLS 1.2 only in that case. I have tried setting both ends of the NS LB setup to be TLS1.0 or 1.1 only as a test and there is no change. If I telnet from a client to the LB VS it doesn't timeout or fail, it goes to a blank screen, not sure if that gives any hints about what it is doing or not.

 

We have another requirement, which is very similar, but for a legacy SQL server (very low traffic/performance requirement), we wish to proxy the SQL traffic through the NS so that we may isolate it using the FW and NS as mentioned above. I have set it up in the same way as above and I am getting the same issue, the telnet connects, but no SQL connection is working.

 

If anyone has any advise on doing this or troubleshooting the issue I am having it would be appreciated. Thanks!

Link to comment
Share on other sites

How are you configuring your TLS settings?  Are you setting ssl profiles on the vserver and services or are you doing something else?  Is this traffic web based OR non-web traffic?

 

For the sql load balancing, how are you building it and did you create a sql account on the ADC (as adc uses sql authentication for database connections).

 

Share your service/vserver settings so we can tell if there is a config problem or something else is going on.  You can obscure IP addresses.

Link to comment
Share on other sites

16 hours ago, Rhonda Rowland1709152125 said:

How are you configuring your TLS settings?  Are you setting ssl profiles on the vserver and services or are you doing something else?  Is this traffic web based OR non-web traffic?

 

For the sql load balancing, how are you building it and did you create a sql account on the ADC (as adc uses sql authentication for database connections).

 

Share your service/vserver settings so we can tell if there is a config problem or something else is going on.  You can obscure IP addresses.

Thanks for the reply Rhonda.

 

Let's forget the SQL one for a minute as that is clearly more complex than I thought, and stick with the HTTPS LB.

 

The settings lines I am using are as follows, although I configured most of it through the GUI. As you can see in the current config TLS 1.1 and 1.2 are disabled on the LB VS. I am configuring these manually, not using a profile at this stage, although I am planning to do that once I have things working, this is just for testing, easier to make changes I felt.

 

add server SERVERNAME 10.1.1.1
add service "SERVERNAME SSL" SERVERNAME SSL 443 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp OFF -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO
add service "SERVERNAME SSL" SERVERNAME SSL 443 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp OFF -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO
add lb vserver "SERVERNAME SSL" SSL 172.25.0.5 443 -persistenceType SOURCEIP -state DISABLED -cltTimeout 180
bind lb vserver "SERVERNAME SSL" "SERVERNAME SSL"
bind lb vserver "SERVERNAME SSL" "SERVERNAME SSL"
set ssl service "SERVERNAME SSL" -ssl3 DISABLED -tls11 DISABLED -tls12 DISABLED
bind ssl service "SERVERNAME SSL" -eccCurveName P_256
bind ssl service "SERVERNAME SSL" -eccCurveName P_384
bind ssl service "SERVERNAME SSL" -eccCurveName P_224
bind ssl service "SERVERNAME SSL" -eccCurveName P_521
bind ssl vserver "SERVERNAME SSL" -certkeyName "wildcard.domain.com"
bind ssl vserver "SERVERNAME SSL" -eccCurveName P_256
bind ssl vserver "SERVERNAME SSL" -eccCurveName P_384
bind ssl vserver "SERVERNAME SSL" -eccCurveName P_224
bind ssl vserver "SERVERNAME SSL" -eccCurveName P_521

 

Man thanks

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...