Richard Franken Posted November 21 Posted November 21 Currently we face an interesting challenge, for which I cannot find a solution. I would like to know if the following is possible: We have 2 netscaler pairs: an internal one (ADC-PRD) and an external one (ADC-DMZ). On ADZ-DMZ we expose applications behind a content switch and this content switch uses an SSL profile for TLS 1.2 and TLS 1.3. On the ADC-PRD we also expose applications behind a content switch and this content switch also uses an SSL profile for TLS 1.2 and TLS 1.3. On the virtual load balanced server representing the application we also have a URL Transform policy to translate external.name(.*) to internal.name$1 and vice versa. On a Windows server we are hosting an application which needs Client Cert Based Authentication. This application is exposed on ADC-PRD, behind the content switch as internal.name. We need the application to do Client Cert Based Authentication, so the Netscalers are supposed to pass the client cert through the entire process. A client request would follow the following steps: Client -> TLS -> CS on ADC-DMZ DMZ-ADC -> TLS -> CS on ADC-PRD DMZ-PRD -> TLS -> IIS on Windows Server IIS should handle the client certificate and authorize the user How can I do this? As far as I can tell it would only be possible by using an AAA server, but I cannot figure out how to configure this in this setup. All documentation is focused on a Netscaler which directly accesses the backend servers.
Nicola Campaci Posted November 21 Posted November 21 Hi @Richard Franken Unfortunately, the client certificate can only be passed as a payload by injecting the certificate information into a header. So there are not many solutions: Pass the certificate via a header and configure the application to read the subject of the certificate from that header (Citrix Support Article) Remove client authentication from the application and delegate it to the NetScaler using an AAA vServer and the necessary authentication policies Remove the balanced service from the CS and create a separate LB vServer in SSL-BRIDGE I can’t think of any other alternatives
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now