0

I have a question regarding SSL certificates in Netscaler. Is it possible to bind/include a SSL certificate in a VIP in the Netscaler without doing any HTTPS offloading? I'm doing the HTTPS offloading on the backend servers. The reason why I need to do this is because I want to send the original client IP address through the Netscaler back to the backend servers, as of now I can't do that because every request is encrypted and the Netscaler must be aware and able to decrypt the HTTPS request.

krt
  • 274
  • 1
  • 2
  • 12
  • So do you want to decrypt HTTPS in Netscaler to include the client IP in the header, re-encrypt it and the again decrypt it again at your backend servers? That's much more expensive than doing only the decryption once, i.e. HTTPS offloading in Netscaler. But this might be useful if you cannot trust the network between Netscaler and the backend servers. – Steffen Ullrich Oct 25 '16 at 05:04
  • @SteffenUllrich I do trust the network between the Netscaler and the backend servers, it's just that I'm looking for a workaround to fix the "problem" that the client IP not being forwarded. We have plans to do all of the offloading in the Netscaler in the future but now we don't have any time. Thank you for your respond Steffen. – krt Oct 25 '16 at 05:15
  • And to answer your question: yes that is probably want I'm asking for. – krt Oct 25 '16 at 05:17

1 Answers1

0

Disregarding the fact that doing SSL Offloading on Citrix NetScaler, followed by SSL On-loading before sending traffic to the backend, and doing decryption at the backend again will nullify the performance boost provided by doing SSL Offloading at the NetScaler, it is a common scenario in environments with strict encryption/security policies.

  • You have to bind the SSL certificate to the Load Balancing virtual Server (or Content Switching virtual server), with a type set to SSL to perform SSL Offloading
  • If you are doing content switching (direct traffic to the correct load balancer using content switching policies). The load balancer itself can be of type HTTP in that case, as this traffic is internal to the NetScaler and will not leave the appliance.
  • If you are doing plain load balancing, make sure your virtual server is of the type SSL.
  • The services/service group attached to the load balancer, must be of type SSL to perform SSL Onloading

But as you have guessed already, it is required to do the SSL Offloading at the NetScaler, because you don't have access to L7 data otherwise.

Jan
  • 121
  • 3