Jump to content

Recommended Posts

Posted

Currently we face an interesting challenge, for which I cannot find a solution.  I would like to know if the following is possible:

We have 2 netscaler pairs: an internal one (ADC-PRD) and an external one (ADC-DMZ). On ADZ-DMZ we expose applications behind a content switch and this content switch uses an SSL profile for TLS 1.2 and TLS 1.3.

On the ADC-PRD we also expose applications behind a content switch and this content switch also uses an SSL profile for TLS 1.2 and TLS 1.3. On the virtual load balanced server representing the application we also have a URL Transform policy to translate external.name(.*) to internal.name$1 and vice versa.

On a Windows server we are hosting an application which needs Client Cert Based Authentication. This application is exposed on ADC-PRD, behind the content switch as internal.name.

We need the application to do Client Cert Based Authentication, so the Netscalers are supposed to pass the client cert through the entire process.

 

A client request would follow the following steps:

Client -> TLS -> CS on ADC-DMZ

DMZ-ADC -> TLS -> CS on ADC-PRD

DMZ-PRD -> TLS -> IIS on Windows Server

IIS should handle the client certificate and authorize the user

 

How can I do this? As far as I can tell it would only be possible by using an AAA server, but I cannot figure out how to configure this in this setup. All documentation is focused on a Netscaler which directly accesses the backend servers.

Posted

Hi @Richard Franken
Unfortunately, the client certificate can only be passed as a payload by injecting the certificate information into a header.
So there are not many solutions:

  • Pass the certificate via a header and configure the application to read the subject of the certificate from that header (Citrix Support Article)
  • Remove client authentication from the application and delegate it to the NetScaler using an AAA vServer and the necessary authentication policies
  • Remove the balanced service from the CS and create a separate LB vServer in SSL-BRIDGE

I can’t think of any other alternatives

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...