Cisco Citrix NetScaler 1000V User guide

Cisco Systems, Inc.

www.cisco.com

Cisco has more than 200 offices worldwide.

Addresses, phone numbers, and fax numbers

are listed on the Cisco website at

www.cisco.com/go/offices.

Citrix NetScaler 1000V

Application Security Guide

Citrix NetScaler 10.5

December 11, 2014

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL

STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT

WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT

SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE

OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant

to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial

environment. This equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause

harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required

to correct the interference at their own expense.

The following information is for FCC compliance of Class B devices: This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant

to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates,

uses and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications.

However, there is no guarantee that interference will not occur in a particular installation. If the equipment causes interference to radio or television reception, which can be

determined by turning the equipment off and on, users are encouraged to try to correct the interference by using one or more of the following measures:

• Reorient or relocate the receiving antenna.

• Increase the separation between the equipment and receiver.

• Connect the equipment into an outlet on a circuit different from that to which the receiver is connected.

• Consult the dealer or an experienced radio/TV technician for help.

Modifications to this product not authorized by Cisco could void the FCC approval and negate your authority to operate the product.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH

ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT

LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF

DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,

WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO

OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this

URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership

relationship between Cisco and any other company. (1110R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display

output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in

illustrative content is unintentional and coincidental.

Citrix and other Citrix product names referenced herein are trademarks of Citrix Systems, Inc. and/or one of its subsidiaries, and may be registered in the United States Patent

and Trademark Office and in other countries. All other product names, company names, marks, logos, and symbols are trademarks of their respective owners.

Contents

1 AAA Application Traffic..............................................................................15

How AAA Works..............................................................................16

Enabling AAA.................................................................................18

To enable AAA by using the command line interface.................................. 18

To enable AAA by using the configuration utility....................................... 19

Setting up AAA Virtual Servers and DNS....................................................19

Configuring the Authentication Virtual Server..........................................20

To configure an authentication virtual server by using the command line

interface............................................................................20

To configure an authentication virtual server by using the configuration utility.. 21

Configuring a Traffic Management Virtual Server......................................22

To configure a TM virtual server for AAA by using the command line

interface............................................................................23

To configure a TM virtual server for AAA by using the configuration utility...... 24

Configuring DNS........................................................................ 24

Verifying Your Setup for AAA........................................................... 24

To verify authentication virtual server setup by using the command line

interface............................................................................24

To verify your AAA virtual server setup by using the configuration utility........ 25

Authentication Profile.........................................................................25

To configure an authentication profile by using the command line.................... 25

To configure an authentication profile by using the configuration utility............... 26

Configuring Users and Groups...............................................................26

To create a local AAA user account by using the command line interface............27

To change the password for an existing AAA local user account by using the

command line interface................................................................. 27

To configure AAA local users by using the configuration utility........................28

To create AAA local groups and add users to them by using the command line

interface................................................................................. 28

To remove users from an AAA group by using the command line interface.......... 29

To remove an AAA group by using the command line interface.......................29

iii

To configure AAA local groups and add users to them by using the configuration

utility..................................................................................... 29

Configuring AAA Policies.....................................................................30

Authentication Policies..................................................................31

To add an authentication action by using the command line interface...........32

To configure an authentication action by using the command line interface.....32

To remove an authentication action by using the command line interface.......33

To configure an authentication server by using the configuration utility..........33

To create and bind an authentication policy by using the command line

interface............................................................................34

To modify an existing authentication policy by using the command line

interface............................................................................34

To remove an authentication policy by using the command line interface....... 35

To configure and bind authentication policies by using the configuration

utility................................................................................35

LDAP Authentication Policies......................................................36

Negotiate Authentication Policies................................................. 37

RADIUS Authentication Policies...................................................39

SAML Authentication Policies..................................................... 42

SAML IDP Authentication Policies................................................ 45

Web Authentication Policies.......................................................46

Configuring Advanced Authentication Policies....................................48

Authorization Policies................................................................... 48

To create an authorization policy..................................................49

To modify an authorization policy..................................................49

To bind an authorization policy to a user account or group.......................50

To unbind an authorization policy from a user account or group.................50

To remove an authorization policy.................................................51

To configure and bind authorization policies by using the configuration utility...51

Auditing Policies.........................................................................51

To create an auditing policy by using the command line interface............... 52

To modify an auditing policy by using the command line interface...............52

To globally bind an auditing policy by using the command line interface........ 53

To bind an auditing policy to an authentication virtual server by using the

command line interface............................................................53

To bind an auditing policy to a user account or a group by using the

command line interface............................................................54

To unbind a globally bound auditing policy by using the command line

interface............................................................................54

Contents

iv

To unbind an auditing policy from an authentication virtual server by using

the command line interface........................................................54

To unbind an auditing policy from a user account or a group by using the

command line interface............................................................55

To remove an auditing policy by using the command line interface..............55

To configure and bind auditing policies by using the configuration utility........ 55

Session Settings..............................................................................56

Session Profiles.........................................................................57

To create a session profile by using the command line interface................ 57

To modify a session profile by using the command line interface................57

To remove a session profile by using the command line interface............... 58

To configure session profiles by using the configuration utility................... 58

Session Policies.........................................................................58

To create a session policy by using the command line interface.................59

To modify a session policy by using the command line interface................ 59

To globally bind a session policy by using the command line interface..........59

To bind a session policy to an authentication virtual server by using the

command line interface............................................................60

To unbind a session policy from an authentication virtual server by using the

command line interface............................................................60

To unbind a globally bound session policy by using the command line

interface............................................................................60

To remove a session policy by using the command line interface................61

To configure and bind session policies by using the configuration utility.........61

Global Session Settings.................................................................62

To configure the session settings by using the command line interface......... 62

To configure the session settings by using the configuration utility.............. 63

Traffic Settings................................................................................63

Traffic Profiles...........................................................................63

To create a traffic profile by using the command line interface...................64

To modify a session profile by using the command line interface................64

To remove a session profile by using the command line interface............... 64

To configure traffic profiles by using the configuration utility..................... 64

Traffic Policies...........................................................................65

To create a traffic policy by using the command line interface................... 65

To modify a traffic policy by using the command line interface...................65

To globally bind a traffic policy by using the command line interface............ 66

To bind a traffic policy to a load balancing or content switching virtual server

by using the command line interface..............................................66

To unbind a globally bound traffic policy by using the command line interface..66

Citrix NetScaler Application Security Guide

v

To unbind a traffic policy from a load balancing or content switching virtual

server by using the command line interface...................................... 67

To remove a traffic policy by using the command line interface..................67

To configure and bind traffic policies by using the configuration utility...........67

Form SSO Profiles...................................................................... 68

To create a form SSO profile by using the command line interface..............68

To modify a form SSO by using the command line interface.....................68

To remove a form SSO profile by using the command line interface.............69

To configure form SSO profiles by using the configuration utility.................69

SAML SSO Profiles..................................................................... 70

To create a SAML SSO profile by using the command line interface............ 70

To modify a SAML SSO by using the command line interface................... 70

To remove a SAML SSO profile by using the command line interface...........70

To configure a SAML SSO profile by using the configuration utility..............71

Session Timeout for OWA 2010...................................................71

Authenticating with Client Certificates....................................................... 72

To configure the AAA client certificate parameters by using the command line

interface................................................................................. 73

To configure the AAA client certificate parameters by using the configuration

utility..................................................................................... 73

Client Certificate Pass-Through........................................................ 74

To create and configure client certificate pass-through by using the

command line interface............................................................74

Configuring AAA with Commonly Used Protocols ..........................................76

Handling Authentication, Authorization and Auditing with Kerberos/NTLM........... 76

How NetScaler Implements Kerberos Authentication............................ 78

Kerberos Authentication - Configuration on the NetScaler Appliance............80

Configuration of Kerberos Authentication on a Client............................ 88

Offloading Kerberos Authentication from Physical Servers...................... 88

NetScaler Kerberos Single Sign-On.........................................................91

An Overview of NetScaler Kerberos SSO..............................................92

Integration of NetScaler Kerberos SSO with Authentication Methods........... 93

Setting up NetScaler SSO.............................................................. 94

Prerequisites.......................................................................94

Configuring SSO...................................................................98

Generating the KCD Keytab Script....................................................105

To generate the KCD keytab script by using the configuration utility........... 105

SAML IdP....................................................................................105

To add a SAML IdP profile from the command line interface.........................107

Example...........................................................................108

Contents

vi

To configure a SAML IdP profile by using the configuration utility................... 108

2 Application Firewall.................................................................................111

Introduction..................................................................................113

Web Application Security.............................................................. 113

Known Web Attacks.............................................................. 114

Unknown Web Attacks............................................................116

How The Application Firewall Works..................................................117

Application Firewall Features..........................................................119

The Application Firewall Configuration Interfaces.................................... 119

Configuring the Application Firewall........................................................120

The Application Firewall Wizard.......................................................121

The Citrix Web Interface AppExpert Template........................................122

The Citrix NetScaler Configuration Utility............................................. 123

The Citrix NetScaler Command Line Interface........................................123

Enabling the Application Firewall......................................................124

To enable the application firewall by using the command line interface........ 124

To enable the application firewall by using the configuration utility............. 124

The Application Firewall Wizard.......................................................125

Opening the Wizard.............................................................. 125

The Wizard Screens..............................................................125

To configure the Application Firewall: Initial Configuration......................129

To configure the Application Firewall: Enabling Blocking for Signatures....... 130

To configure the Application Firewall: Enabling and Configuring advanced

protection......................................................................... 130

To configure the Application Firewall: Creating A Policy........................ 131

Manual Configuration..................................................................132

Manual Configuration By Using the Configuration Utility........................132

Manual Configuration By Using the Command Line Interface.................. 143

Signatures...................................................................................146

Manually Configuring the Signatures Feature........................................ 147

Adding or Removing a Signatures Object.............................................148

To create a signatures object from a template...................................148

To create a signatures object by importing a file................................ 149

To create a signatures object by importing a file by using the command line.. 149

To remove a signatures object by using the configuration utility................149

To remove a signatures object by using the command line.....................150

Configuring or Modifying a Signatures Object........................................ 150

To configure or modify a signatures object...................................... 150

Updating a Signatures Object.........................................................153

Citrix NetScaler Application Security Guide

vii

To update the application firewall signatures from the source by using the

command line.....................................................................153

Updating a Signatures Object from a Citrix Format File.........................154

Updating a Signatures Object from a Supported Vulnerability Scanning Tool..155

Exporting a Signatures Object to a File...............................................156

To export a signatures object to a file............................................156

The Signatures Editor................................................................. 156

To add or modify a local signature rule by using the Signatures Editor.........156

To add a signature rule category.................................................158

Signature Rule Patterns..........................................................159

Advanced Protections.......................................................................164

Top-Level Advanced Protections......................................................165

HTML Cross-Site Scripting Check............................................... 166

HTML SQL Injection Check...................................................... 169

Buffer Overflow Check........................................................... 172

Cookie Consistency Check.......................................................173

Data Leak Prevention Checks.........................................................175

Credit Card Check................................................................175

Safe Object Check................................................................176

Advanced Form Protection Checks................................................... 178

Field Formats Check............................................................. 179

Form Field Consistency Check.................................................. 180

CSRF Form Tagging Check......................................................183

Deny URL Check.................................................................184

URL Protection Checks................................................................186

Start URL Check..................................................................186

Deny URL Check.................................................................188

XML Protection Checks................................................................189

XML Format Check...............................................................190

XML Denial-of-Service Check....................................................190

XML Cross-Site Scripting Check.................................................193

XML SQL Injection Check........................................................195

XML Attachment Check.......................................................... 197

Web Services Interoperability Check............................................ 197

XML Message Validation Check................................................. 198

XML SOAP Fault Filtering Check................................................ 199

Profiles...................................................................................... 200

Built-In Profiles.........................................................................200

User-Defined Profiles..................................................................200

Creating Application Firewall Profiles.................................................201

Contents

viii

To create an application firewall profile by using the command line interface..202

To create an application firewall profile by using the configuration utility.......202

Configuring Application Firewall Profiles..............................................203

To configure an application firewall profile by using the command line.........203

To configure an application firewall profile by using the configuration utility....204

Managing Content Types.........................................................205

Changing an Application Firewall Profile Type........................................209

To change an application firewall profile type by using the command line

interface...........................................................................210

To change an application firewall profile type by using the configuration

utility...............................................................................210

Exporting and Importing an Application Firewall Profile..............................210

To export an application firewall profile by using the command line interface..210

To export an application firewall profile by using the configuration utility....... 211

To import an application firewall profile by using the command line interface.. 211

Configuring and Using the Learning Feature......................................... 212

To configure the learning settings by using the command line interface........213

To reset learning settings to their defaults by using the command line

interface...........................................................................214

To display the learning settings for a profile by using the command line

interface...........................................................................214

To display unreviewed learned rules or relaxations for a profile by using the

command line interface...........................................................215

To remove specific unreviewed learned rules or relaxations from the

learning database by using the command line interface........................ 215

To remove all unreviewed learned data by using the command line interface. 215

To export learning data by using the command line interface...................215

To configure the Learning feature by using the configuration utility.............216

To review learned rules or relaxations by using the configuration utility........217

Supplemental Information about Profiles............................................. 218

Configuration Variable Support...................................................218

PCRE Character Encoding Format.............................................. 219

Inverted PCRE Expressions......................................................221

Disallowed Names for Application Firewall Profiles............................. 222

Policies...................................................................................... 223

Firewall Policies........................................................................224

Creating and Configuring Application Firewall Policies......................... 224

Binding Application Firewall Policies.............................................229

Viewing a Firewall Policy's Bindings.............................................231

Auditing Policies....................................................................... 231

Citrix NetScaler Application Security Guide

ix

To create an auditing server by using the command line interface............. 232

To modify or remove an auditing server by using the command line interface. 232

To create or configure an auditing server by using the configuration utility.....233

To create an auditing policy by using the command line interface..............233

To configure an auditing policy by using the command line interface...........234

To configure an auditing policy by using the configuration utility................234

Imports...................................................................................... 235

HTML Error Object.....................................................................235

XML Error Object...................................................................... 237

XML Schema...........................................................................237

WSDL.................................................................................. 237

Importing and Exporting Files......................................................... 237

To import a file by using the command line interface............................238

To import a file by using the configuration utility.................................238

To export a file by using the configuration utility.................................239

To edit an HTML or XML Error Object in the configuration utility............... 239

Global Configuration........................................................................240

Engine Settings........................................................................240

To configure engine settings by using the command line interface.............241

To configure engine settings by using the configuration utility.................. 242

Confidential Fields.....................................................................243

To add a confidential field by using the command line interface................244

To modify a confidential field by using the command line interface.............244

To remove a confidential field by using the command line interface............244

To configure a confidential field by using the configuration utility...............245

Field Types.............................................................................247

To add a field type by using the command line interface........................247

To modify a field type by using the command line interface.....................248

To remove a field type by using the command line interface....................248

To configure a field type by using the configuration utility.......................248

XML Content Types....................................................................249

To add an XML content type pattern by using the command line interface.....249

To remove an XML content type pattern by using the command line interface 250

To configure the XML content type list by using the configuration utility........250

JSON Content Types.................................................................. 251

To add a JSON content type pattern by using the command line interface.....251

To configure the JSON content type list by using the configuration utility...... 251

Logs, Statistics, and Reports............................................................... 252

The Application Firewall Logs.........................................................252

NetScaler Format Logs...........................................................252

Contents

x

Viewing the Application Firewall Logs........................................... 253

The Application Firewall Statistics.....................................................254

The Application Firewall Reports......................................................255

The PCI DSS Report............................................................. 255

The Application Firewall Configuration Report.................................. 256

Appendices..................................................................................256

PCRE Character Encoding Format................................................... 256

Whitehat WASC Signature Types for WAF Use...................................... 259

WASC 1.0 Signature Types...................................................... 259

WASC 2.0 Signature Types...................................................... 259

Best Practices.................................................................... 260

3 Content Filtering....................................................................................261

Enabling Content Filtering.................................................................. 262

To enable content filtering by using the command line interface.....................262

To enable content by filtering by using the configuration utility.......................263

Configuring a Content Filtering Action......................................................263

To configure a content filtering action by using the command line interface.........264

To configure a content filtering action by using the configuration utility..............264

Configuring a Content Filtering Policy......................................................265

To configure a content filtering policy by using the command line interface.........266

To configure a content filtering policy by using the configuration utility.............. 266

Binding a Content Filtering Policy.......................................................... 270

To bind a policy to a virtual server by using the command line interface............ 270

Example...........................................................................270

To globally bind a policy by using the command line interface.......................271

Example...........................................................................271

To bind a policy to a virtual server by using the configuration utility................. 271

To globally bind a policy by using the configuration utility............................271

Configuring Content Filtering for a Commonly Used Deployment Scenario.............. 272

To enable content filtering............................................................. 272

To configure the content filtering policy filter-CF-nimda.............................. 272

To globally bind the content filtering policy............................................273

To bind the content filtering policy to a virtual server................................. 273

To verify the content filtering configuration by using the command line interface... 274

To verify the content filtering configuration by using the configuration utility.........274

Troubleshooting.............................................................................275

Resources for Troubleshooting........................................................275

Troubleshooting Content Filtering Issues.............................................275

Citrix NetScaler Application Security Guide

xi

4 HTTP Denial-of-Service Protection................................................................277

Layer 3-4 SYN Denial-of-Service Protection...............................................279

Enabling HTTP DoS Protection.............................................................279

To enable HTTP DoS protection by using the command line interface.............. 279

To enable HTTP DoS protection by using the configuration utility................... 280

Defining an HTTP DoS Policy.............................................................. 280

To configure a HTTP DoS policy by using the command line interface..............281

To configure an HTTP DoS policy by using the configuration utility..................281

Configuring an HTTP DoS Service.........................................................282

To configure an HTTP DoS service by using the command line interface...........282

To configure an HTTP DoS service by using the configuration utility................ 283

Binding an HTTP DoS Monitor and Policy................................................. 284

To bind the monitor to the service by using the command line interface.............284

To bind the policy to the service by using the command line interface...............284

To bind the monitor and policy to the service by using the configuration utility......286

Tuning the Client Detection/JavaScript Challenge Response Rate.......................286

Guidelines for HTTP DoS Protection Deployment.........................................287

5 Priority Queuing.................................................................................... 289

Enabling Priority Queuing...................................................................291

To enable priority queuing by using the command line interface.....................291

To enable priority queuing by using the configuration utility..........................291

Configuring a Priority Queuing Policy...................................................... 292

To configure a priority queuing policy by using the command line interface.........292

To configure a priority queuing policy by using the configuration utility..............292

Binding a Priority Queuing Policy...........................................................294

To bind a priority queuing policy by using the command line interface.............. 294

To bind a priority queuing policy by using the configuration utility....................295

Setting Up Weighted Queuing..............................................................295

6 SureConnect........................................................................................ 297

Installing SureConnect......................................................................299

Installing on UNIX......................................................................299

To install SureConnect........................................................... 299

Installing on Windows................................................................. 300

To install SureConnect on Windows............................................. 300

Configuring SureConnect...................................................................300

Configuring the Response for Alternate Server Failure.............................. 301

Customizing the Default Response..............................................301

Contents

xii

SureConnect with In-Memory response (NS action)............................ 302

Configuring the SureConnect Policies................................................ 304

Configuring Exact URL Based Policies..........................................304

Configuring Wildcard Rule-Based Policies...................................... 305

Displaying the Configured SureConnect Policy................................. 306

Customizing the Alternate Content File...............................................306

Configuring SureConnect for Citrix NetScaler Features..............................308

Configuring SureConnect for Load Balancing...................................308

Configuring SureConnect for Cache Redirection................................308

Configuring SureConnect for High Availability...................................308

Activating SureConnect.....................................................................308

SureConnect Environments................................................................ 309

Primary and Alternate Servers........................................................ 309

Configuration Checklist................................................................310

To redirect the client to another URL.............................................311

Example Configurations............................................................... 312

Example 1 - SureConnect Progress Bar and Alternate Page .................. 312

Example 2 - SureConnect Progress Bar Only...................................313

Example 3 - SureConnect with Load Balancing.................................313

Example 4 - SureConnect with Load Balancing (ACS Action)..................314

Example 5 - SureConnect with Content Switching..............................314

7 Surge Protection....................................................................................317

Disabling and Reenabling Surge Protection............................................... 320

To disable or reenable surge protection by using the command line interface...... 320

To disable or reenable surge protection by using the configuration utility........... 321

To disable or reenable surge protection for a particular service by using the

configuration utility.....................................................................321

Setting Thresholds for Surge Protection................................................... 322

Flushing the Surge Queue..................................................................324

To flush a surge queue by using the command line interface........................325

Examples......................................................................... 326

To flush a surge queue by using the configuration utility............................. 326

Citrix NetScaler Application Security Guide

xiii

Contents

xiv

Chapter 1

AAA Application Traffic

Topics:

•How AAA Works

•Enabling AAA

•Setting up AAA Virtual

Servers and DNS

•Authentication Profile

•Configuring Users and

Groups

•Configuring AAA Policies

•Session Settings

•Traffic Settings

•Authenticating with Client

Certificates

•Configuring AAA with

Commonly Used Protocols

•NetScaler Kerberos Single

Sign-On

•SAML IdP

Many companies restrict web site access to valid users only,

and control the level of access permitted to each user. The

AAA feature allows a site administrator to manage access

controls with the NetScaler appliance instead of managing

these controls separately for each application. Doing

authentication on the appliance also permits sharing this

information across all web sites within the same domain that

are protected by the appliance.

The AAA feature supports authentication, authorization, and

auditing for all application traffic. To use AAA, you must

configure authentication virtual servers to handle the

authentication process and traffic management virtual servers

to handle the traffic to web applications that require

authentication. You also configure your DNS to assign FQDNs

to each virtual server. After configuring the virtual servers,

you configure a user account for each user that will

authenticate via the NetScaler appliance, and optionally you

create groups and assign user accounts to groups. After

creating user accounts and groups, you configure policies that

tell the appliance how to authenticate users, which resources

to allow users to access, and how to log user sessions. To put

the policies into effect, you bind each policy globally, to a

specific virtual server, or to the appropriate user accounts or

groups. After configuring your policies, you customize user

sessions by configuring session settings and binding your

session policies to the traffic management virtual server.

Finally, if your intranet uses client certs, you set up the client

certificate configuration.

Before configuring AAA, you should be familiar with and

understand how to configure load balancing, content

switching, and SSL on the NetScaler appliance.

15

How AAA Works

AAA provides security for a distributed Internet environment by allowing any client

with the proper credentials to connect securely to protected application servers from

anywhere on the Internet. This feature incorporates the three security features of

authentication, authorization, and auditing. Authentication enables the NetScaler ADC

to verify the client’s credentials, either locally or with a third-party authentication

server, and allow only approved users to access protected servers. Authorization

enables the ADC to verify which content on a protected server it should allow each user

to access. Auditing enables the ADC to keep a record of each user’s activity on a

protected server.

To understand how AAA works in a distributed environment, consider an organization

with an intranet that its employees access in the office, at home, and when traveling.

The content on the intranet is confidential and requires secure access. Any user who

wants to access the intranet must have a valid user name and password. To meet these

requirements, the ADC does the following:

wRedirects the user to the login page if the user accesses the intranet without having

logged in.

wCollects the user’s credentials, delivers them to the authentication server, and

caches them in a directory that is accessible through LDAP.

wVerifies that the user is authorized to access specific intranet content before

delivering the user’s request to the application server.

wMaintains a session timeout after which users must authenticate again to regain

access to the intranet. (You can configure the timeout.)

wLogs the user accesses, including invalid login attempts, in an audit log.

Authentication requires that several entities—the client, the NetScaler appliance, the

external authentication server if one is used, and the application server—respond to

each other when prompted by performing a complex series of tasks in the correct

order. If you are using an external authentication server, this process can be broken

down into the following fifteen steps.

wThe client sends a GET request for a URL on the application server.

wThe NetScaler appliance’s traffic management virtual server redirects the request to

the application server.

wThe application server determines that the client has not been authenticated, and

therefore sends an HTTP 200 OK response via the TM vserver to the client. The

response contains a hidden script that causes the client to issue a POST request

for /cgi/tm.

wThe client sends a POST request for /cgi/tm.

wThe NetScaler appliance’s authentication virtual server redirects the request to the

authentication server.

wThe authentication server creates an authentication session, sets and caches a

cookie that consists of the initial URL and the domain of the traffic management

Chapter 1 AAA Application Traffic

16

virtual server, and then sends an HTTP 302 response via the authentication virtual

server, redirecting the client to /vpn/index.html.

wThe client sends a GET request for /vpn/index.html.

wThe authentication virtual server redirects the client to the authentication server

login page.

wThe client sends a GET request for the login page, enters credentials, and then

sends a POST request with the credentials back to the login page.

wThe authentication virtual server redirects the POST request to the authentication

server.

wIf the credentials are correct, the authentication server tells the authentication

virtual server to log the client in and redirect the client to the URL that was in the

initial GET request.

wThe authentication virtual server logs the client in and sends an HTTP 302 response

that redirects the client to the initially requested URL.

wThe client sends a GET request for their initial URL.

wThe traffic management virtual server redirects the GET request to the application

server.

wThe application server responds via the traffic management virtual server with the

initial URL.

If you use local authentication, the process is similar, but the authentication virtual

server handles all authentication tasks instead of forwarding connections to an external

authentication server. The following figure illustrates the authentication process.

Figure 1-1. Authentication Process Traffic Flow

Citrix NetScaler Application Security Guide

17

When an authenticated client requests a resource, the ADC, before sending the request

to the application server, checks the user and group policies associated with the client

account, to verify that the client is authorized to access that resource. The ADC

handles all authorization on protected application servers. You do not need to do any

special configuration of your protected application servers.

AAA-TM handles password changes for users by using the protocol-specific method for

the authentication server. For most protocols, neither the user nor the administrator

needs to do anything different than they would without AAA-TM. Even when an LDAP

authentication server is in use, and that server is part of a distributed network of LDAP

servers with a single designated domain administration server, password changes are

usually handled seamlessly. When an authenticated client of an LDAP server changes his

or her password, the client sends a credential modify request to AAA-TM, which

forwards it to the LDAP server. If the user's LDAP server is also the domain

administration server, that server responds appropriately and AAA-TM then performs

the requested password change. Otherwise, the LDAP server sends AAA-TM an

LDAP_REFERRAL response to the domain administration server. AAA-TM follows the

referral to the indicated domain administration server, authenticates to that server,

and performs the password change on that server.

When configuring AAA-TM with an LDAP authentication server, the system administrator

must keep the following conditions and limitations in mind:

wAAA-TM assumes that the domain administration server in the referral accepts the

same bind credentials as the original server.

wAAA-TM only follows LDAP referrals for password change operations. In other cases

AAA-TM refuses to follow the referral.

wAAA-TM only follows one level of LDAP referrals. If the second LDAP server also

returns a referral, AAA-TM refuses to follow the second referral.

The ADC supports auditing of all states and status information, so you can see the

details of what each user did while logged on, in chronological order. To provide this

information, the appliance logs each event, as it occurs, either to a designated audit

log file on the appliance or to a syslog server. Auditing requires configuring the

appliance and any syslog server that you use.

Enabling AAA

To use the AAA - Application Traffic feature, you must enable it. You can configure AAA

entities—such as the authentication and traffic management virtual servers—before you

enable the AAA feature, but the entities will not function until the feature is enabled.

To enable AAA by using the command line interface

At the command prompt, type the following commands to enable AAA and verify the

configuration:

wenable ns feature AAA

wshow ns feature

Chapter 1 AAA Application Traffic

18

Example

> enable feature AAA

Done

> show ns feature

Feature

Acronym Status

-------

------- ------

1) Web Logging

WL OFF

2) Surge Protection

SP ON

.

15) AAA

AAA ON

.

23) HTML Injection

HTMLInjection ON

24) NetScaler Push

push OFF

Done

To enable AAA by using the configuration utility

1. Navigate to System > Settings.

2. In the details pane, under Modes and Features, click Change basic features.

3. In the Configure Basic Features dialog box, select the Authentication,

Authorization and Auditing check box.

4. Click OK.

Setting up AAA Virtual Servers and DNS

You can configure AAA by using the built-in wizard, or manually. To use the wizard, in

the main AAA pane of the configuration utility, you click AAA - Application Traffic

wizard and follow the prompts.

To configure AAA manually, you first configure an authentication virtual server, which

involves binding an SSL certificate-key pair. You then associate the authentication

virtual server with a new or existing traffic management virtual server. (Either a load

balancing virtual server or a content switching virtual server can serve as a traffic

management virtual server.) To complete the initial configuration, you configure DNS to

Citrix NetScaler Application Security Guide

19

assign hostnames to both the authentication virtual server and the traffic management

virtual server, and verify that your virtual servers are UP and configured correctly.

Caution: Both virtual servers must have hostnames in the same domain, or the

AAA configuration will not work.

Configuring the Authentication Virtual Server

To configure AAA, first configure an authentication virtual server to handle

authentication traffic. Next, bind an SSL certificate-key pair to the virtual server to

enable it to handle SSL connections.

To configure an authentication virtual server by using the

command line interface

To configure an authentication virtual server and verify the configuration, at the

command prompt type the following commands in the order shown:

wadd authentication vserver <name> ssl <ipaddress>

wshow authentication vserver <name>

wbind ssl certkey <certkeyName>

wshow authentication vserver <name>

wset authentication vserver <name> -authenticationDomain <FQDN>

wshow authentication vserver <name>

Example

> add authentication vserver Auth-Vserver-2 SSL

10.102.29.77 443

Done

> show authentication vserver Auth-Vserver-2

Auth-Vserver-2 (10.102.29.77:443) - SSL

Type: CONTENT

State: DOWN[Certkey not bound]

Client Idle Timeout: 180 sec

Down state flush: DISABLED

Disable Primary Vserver On Down : DISABLED

Authentication : ON

Current AAA Users: 0

Done

> bind ssl certkey Auth-Vserver-2 Auth-Cert-1

Done

> show authentication vserver Auth-Vserver-2

Auth-Vserver-2 (10.102.29.77:443) - SSL

Type: CONTENT

State: UP

Client Idle Timeout: 180 sec

Down state flush: DISABLED

Disable Primary Vserver On Down : DISABLED

Chapter 1 AAA Application Traffic

20

Page is loading ...

Cisco Citrix NetScaler 1000V User guide

Cisco Citrix NetScaler 1000V User guide

Related papers

Other documents