Michael B

Thanks Nicola, that is very helpful.

RNAT is not the right solution for this. The Forward proxy does work without decrypting as well, I'm working on the that part and making some headway. thanks for the reply.

I'm not trying to do any of the above, I already know how to setup content switching and LB vips with URL policies. This is to configure SSL Forward Proxy, which I'm guessing is not a frequently used feature and pretty much speaks for itself regarding what I'm trying to accomplish, along with my original post "My goal is to get a pretty simple forward proxy setup in explicit mode, not so much for filtering but as a sort of secure jump host to the Internet for specific nodes in a restricted firewall zone".

I've been asked to test out the SSL forward proxy feature for a specific use case, but I'm getting tripped up by the subpar documentation. Is there a decent how to guide to get this going? Can anyone explain to me how the ssl interception works and how to get an ssl bundle file loaded to use? I think I have the concepts down, and we have an internal CA/PKI to use so I have the root and intermediate certs available to me (But not private keys). My goal is to get a pretty simple forward proxy setup in explicit mode, not so much for filtering but as a sort of secure jump host to the Internet for specific nodes in a restricted firewall zone. Any help would be appreciated. MB

Ok, but I still would like to figure out the best way to evaluate the Total amount of SSL/tps the Netscaler is processing. Are you saying that the counter 'ssl_tot_sslInfo_TotalTxCount' does not include the ECDHE tranactions?

Hi all. I'm digging into some system stats and using a few different SSL counters to get an accurate picture of the SSL Tx/s volume during a recent event. There are three different counters that give me some good data but not sure they quite "add up" or should I look at them independently. I can't find any good documentation other than a listing of metrics with a brief description. When I compare these counters: ssl_tot_sslInfo_TotalTxCount ssl_tot_sslInfo_TLSv13TxCount ssl_tot_sslInfo_ECDHE_Tx And use the -d maxrate they all match up with the date/time but values are pretty different. Here is the output I'm comparing: # nsconmsg -K newnslog.70 -g ssl_tot_sslInfo_ECDHE_Tx -d maxrate Index value symbol-name&device-no&time 0 908 ssl_tot_sslInfo_ECDHE_Tx Sun Feb 4 17:01:15 2024 # nsconmsg -K newnslog.70 -g ssl_tot_sslInfo_TLSv13TxCount -d maxrate Index value symbol-name&device-no&time 0 535 ssl_tot_sslInfo_TLSv13TxCount Sun Feb 4 17:01:15 2024 # nsconmsg -K newnslog.70 -g ssl_tot_sslInfo_TotalTxCount -d maxrate Index value symbol-name&device-no&time 0 538 ssl_tot_sslInfo_TotalTxCount Sun Feb 4 17:01:15 2024 If There was 908 ECDHE Tx, shouldn't the totalTxCount be the same or higher? Or are these completely separate? Any help would be appreciated.

Hi Mario, I have a few apps that require an Active/Passive type of configuration behind the VIP. I created each node as a service with its required monitor and settings. Create a LB Vserver for the secondary node and make it non-addressable. Bind the service you configured for the Secondary node. Create a LB Vserver for Primary node, this time with the VIP you want to use along with other settings. Bind the Primary node service you created. Under the Protection Advanced settings Add the Secondary LB Vserver you created as the "Backup Virtual Server". Save it and you should be good to go assuming both VServers are in an UP state. There are some other options within the Protection settings, but the default should accomplish what you want by having an Active/Standby service behind the VIP. Also the Priority Load Balancing NS Feature may be another option to accomplish this, perhaps even better... I haven't used it yet so can't say one way or another. Good luck.

Thanks for the response. I already have a support ticket open, and the support technician confirmed the behavior and asked for a support bundle which is uploaded. Still have not heard back from him. I did notice there are some syslog messages getting sent from the instances with the following errors: "Failed to download mapping file from: https://s3.amazonaws.com/NSAppFwSignatures/SignaturesMapping.xml " WARNING Event:Message Module:APPFW Type:nsvpx Nov 10 2023 08:59:11 "Failed to parse Signatures mapping file: '/nsconfig/waf_signatures/SignaturesMapping.xml' " WARNING Event:Message Module:APPFW Type:nsvpx It would initially seem like something was blocking access to the AWS source for the signatures, but I am able to manually force the update with no errors. I have tried to review our network logs for any blocks like that and have not found any.

Hi all, I'm trying to run the WAF wizard to deploy basic security on public facing sites using signatures. Initially I would run in logging mode and not block, but I can't even get that far. I can manually update the Signatures, so they are current. The wizard never completes just spins and will not create a copy of signatures, any polices etc. The only item that gets created is a profile but no settings are configured. I'm running 13.1-49.15, Platinum license with the features enabled. Any thoughts or known issues with this firmware version? I've already opened a case and waiting for them to investigate further. Thanks.

Couple thoughts, First if you have ADM licensing you can enable Web insights on the VIP, even if its not a "Web" application it will still capture some basic data like source IPs, and show the amount of requests hitting each of the backend servers. ​ Second, You could create a custom syslog message that captures the CLIENT.SRC.IP along with whatever else, but remember to enable "User Configurable Log Messages" on the syslog server settings or it will ignore them. Bind to the VIP and that will at least capture source IPs answering your first question of "how can I check if traffic is hitting the VIP". Doesn't really tell you if about backend connections though. ​ Third, Run a trace with filter to only capture traffic to/from the VIP. Maybe this should be first... idk you choose. Good luck. MB ​

Hi Jeff. I'm curious what your reasoning is for moving from F5 to Netscalers? I'm currently in the opposite position of considering F5 to replace our aging MPX's that are going eol at the end of the year. So far we are on the fence after experimenting with a virtual edition f5 trial license. Our Netscalers work fine but I would say one main point of frustration has been the poor tech support with Citrix. Any thoughts would be appreciated.