Cisco Citrix NetScaler 1000V User guide

Category
Software
Type
User guide
Cisco Systems, Inc.
www.cisco.com
Cisco has more than 200 offices worldwide.
Addresses, phone numbers, and fax numbers
are listed on the Cisco website at
www.cisco.com/go/offices.
Citrix NetScaler 1000V
Application Security Guide
Citrix NetScaler 10.5
December 11, 2014
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL
STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant
to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial
environment. This equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause
harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required
to correct the interference at their own expense.
The following information is for FCC compliance of Class B devices: This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant
to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates,
uses and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications.
However, there is no guarantee that interference will not occur in a particular installation. If the equipment causes interference to radio or television reception, which can be
determined by turning the equipment off and on, users are encouraged to try to correct the interference by using one or more of the following measures:
Reorient or relocate the receiving antenna.
Increase the separation between the equipment and receiver.
Connect the equipment into an outlet on a circuit different from that to which the receiver is connected.
Consult the dealer or an experienced radio/TV technician for help.
Modifications to this product not authorized by Cisco could void the FCC approval and negate your authority to operate the product.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public
domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this
URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership
relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display
output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in
illustrative content is unintentional and coincidental.
Citrix and other Citrix product names referenced herein are trademarks of Citrix Systems, Inc. and/or one of its subsidiaries, and may be registered in the United States Patent
and Trademark Office and in other countries. All other product names, company names, marks, logos, and symbols are trademarks of their respective owners.
© 2014 Cisco Systems, Inc. All rights reserved.
Contents
1 AAA Application Traffic..............................................................................15
How AAA Works..............................................................................16
Enabling AAA.................................................................................18
To enable AAA by using the command line interface.................................. 18
To enable AAA by using the configuration utility....................................... 19
Setting up AAA Virtual Servers and DNS....................................................19
Configuring the Authentication Virtual Server..........................................20
To configure an authentication virtual server by using the command line
interface............................................................................20
To configure an authentication virtual server by using the configuration utility.. 21
Configuring a Traffic Management Virtual Server......................................22
To configure a TM virtual server for AAA by using the command line
interface............................................................................23
To configure a TM virtual server for AAA by using the configuration utility...... 24
Configuring DNS........................................................................ 24
Verifying Your Setup for AAA........................................................... 24
To verify authentication virtual server setup by using the command line
interface............................................................................24
To verify your AAA virtual server setup by using the configuration utility........ 25
Authentication Profile.........................................................................25
To configure an authentication profile by using the command line.................... 25
To configure an authentication profile by using the configuration utility............... 26
Configuring Users and Groups...............................................................26
To create a local AAA user account by using the command line interface............27
To change the password for an existing AAA local user account by using the
command line interface................................................................. 27
To configure AAA local users by using the configuration utility........................28
To create AAA local groups and add users to them by using the command line
interface................................................................................. 28
To remove users from an AAA group by using the command line interface.......... 29
To remove an AAA group by using the command line interface.......................29
iii
To configure AAA local groups and add users to them by using the configuration
utility..................................................................................... 29
Configuring AAA Policies.....................................................................30
Authentication Policies..................................................................31
To add an authentication action by using the command line interface...........32
To configure an authentication action by using the command line interface.....32
To remove an authentication action by using the command line interface.......33
To configure an authentication server by using the configuration utility..........33
To create and bind an authentication policy by using the command line
interface............................................................................34
To modify an existing authentication policy by using the command line
interface............................................................................34
To remove an authentication policy by using the command line interface....... 35
To configure and bind authentication policies by using the configuration
utility................................................................................35
LDAP Authentication Policies......................................................36
Negotiate Authentication Policies................................................. 37
RADIUS Authentication Policies...................................................39
SAML Authentication Policies..................................................... 42
SAML IDP Authentication Policies................................................ 45
Web Authentication Policies.......................................................46
Configuring Advanced Authentication Policies....................................48
Authorization Policies................................................................... 48
To create an authorization policy..................................................49
To modify an authorization policy..................................................49
To bind an authorization policy to a user account or group.......................50
To unbind an authorization policy from a user account or group.................50
To remove an authorization policy.................................................51
To configure and bind authorization policies by using the configuration utility...51
Auditing Policies.........................................................................51
To create an auditing policy by using the command line interface............... 52
To modify an auditing policy by using the command line interface...............52
To globally bind an auditing policy by using the command line interface........ 53
To bind an auditing policy to an authentication virtual server by using the
command line interface............................................................53
To bind an auditing policy to a user account or a group by using the
command line interface............................................................54
To unbind a globally bound auditing policy by using the command line
interface............................................................................54
Contents
iv
To unbind an auditing policy from an authentication virtual server by using
the command line interface........................................................54
To unbind an auditing policy from a user account or a group by using the
command line interface............................................................55
To remove an auditing policy by using the command line interface..............55
To configure and bind auditing policies by using the configuration utility........ 55
Session Settings..............................................................................56
Session Profiles.........................................................................57
To create a session profile by using the command line interface................ 57
To modify a session profile by using the command line interface................57
To remove a session profile by using the command line interface............... 58
To configure session profiles by using the configuration utility................... 58
Session Policies.........................................................................58
To create a session policy by using the command line interface.................59
To modify a session policy by using the command line interface................ 59
To globally bind a session policy by using the command line interface..........59
To bind a session policy to an authentication virtual server by using the
command line interface............................................................60
To unbind a session policy from an authentication virtual server by using the
command line interface............................................................60
To unbind a globally bound session policy by using the command line
interface............................................................................60
To remove a session policy by using the command line interface................61
To configure and bind session policies by using the configuration utility.........61
Global Session Settings.................................................................62
To configure the session settings by using the command line interface......... 62
To configure the session settings by using the configuration utility.............. 63
Traffic Settings................................................................................63
Traffic Profiles...........................................................................63
To create a traffic profile by using the command line interface...................64
To modify a session profile by using the command line interface................64
To remove a session profile by using the command line interface............... 64
To configure traffic profiles by using the configuration utility..................... 64
Traffic Policies...........................................................................65
To create a traffic policy by using the command line interface................... 65
To modify a traffic policy by using the command line interface...................65
To globally bind a traffic policy by using the command line interface............ 66
To bind a traffic policy to a load balancing or content switching virtual server
by using the command line interface..............................................66
To unbind a globally bound traffic policy by using the command line interface..66
Citrix NetScaler Application Security Guide
v
To unbind a traffic policy from a load balancing or content switching virtual
server by using the command line interface...................................... 67
To remove a traffic policy by using the command line interface..................67
To configure and bind traffic policies by using the configuration utility...........67
Form SSO Profiles...................................................................... 68
To create a form SSO profile by using the command line interface..............68
To modify a form SSO by using the command line interface.....................68
To remove a form SSO profile by using the command line interface.............69
To configure form SSO profiles by using the configuration utility.................69
SAML SSO Profiles..................................................................... 70
To create a SAML SSO profile by using the command line interface............ 70
To modify a SAML SSO by using the command line interface................... 70
To remove a SAML SSO profile by using the command line interface...........70
To configure a SAML SSO profile by using the configuration utility..............71
Session Timeout for OWA 2010...................................................71
Authenticating with Client Certificates....................................................... 72
To configure the AAA client certificate parameters by using the command line
interface................................................................................. 73
To configure the AAA client certificate parameters by using the configuration
utility..................................................................................... 73
Client Certificate Pass-Through........................................................ 74
To create and configure client certificate pass-through by using the
command line interface............................................................74
Configuring AAA with Commonly Used Protocols ..........................................76
Handling Authentication, Authorization and Auditing with Kerberos/NTLM........... 76
How NetScaler Implements Kerberos Authentication............................ 78
Kerberos Authentication - Configuration on the NetScaler Appliance............80
Configuration of Kerberos Authentication on a Client............................ 88
Offloading Kerberos Authentication from Physical Servers...................... 88
NetScaler Kerberos Single Sign-On.........................................................91
An Overview of NetScaler Kerberos SSO..............................................92
Integration of NetScaler Kerberos SSO with Authentication Methods........... 93
Setting up NetScaler SSO.............................................................. 94
Prerequisites.......................................................................94
Configuring SSO...................................................................98
Generating the KCD Keytab Script....................................................105
To generate the KCD keytab script by using the configuration utility........... 105
SAML IdP....................................................................................105
To add a SAML IdP profile from the command line interface.........................107
Example...........................................................................108
Contents
vi
To configure a SAML IdP profile by using the configuration utility................... 108
2 Application Firewall.................................................................................111
Introduction..................................................................................113
Web Application Security.............................................................. 113
Known Web Attacks.............................................................. 114
Unknown Web Attacks............................................................116
How The Application Firewall Works..................................................117
Application Firewall Features..........................................................119
The Application Firewall Configuration Interfaces.................................... 119
Configuring the Application Firewall........................................................120
The Application Firewall Wizard.......................................................121
The Citrix Web Interface AppExpert Template........................................122
The Citrix NetScaler Configuration Utility............................................. 123
The Citrix NetScaler Command Line Interface........................................123
Enabling the Application Firewall......................................................124
To enable the application firewall by using the command line interface........ 124
To enable the application firewall by using the configuration utility............. 124
The Application Firewall Wizard.......................................................125
Opening the Wizard.............................................................. 125
The Wizard Screens..............................................................125
To configure the Application Firewall: Initial Configuration......................129
To configure the Application Firewall: Enabling Blocking for Signatures....... 130
To configure the Application Firewall: Enabling and Configuring advanced
protection......................................................................... 130
To configure the Application Firewall: Creating A Policy........................ 131
Manual Configuration..................................................................132
Manual Configuration By Using the Configuration Utility........................132
Manual Configuration By Using the Command Line Interface.................. 143
Signatures...................................................................................146
Manually Configuring the Signatures Feature........................................ 147
Adding or Removing a Signatures Object.............................................148
To create a signatures object from a template...................................148
To create a signatures object by importing a file................................ 149
To create a signatures object by importing a file by using the command line.. 149
To remove a signatures object by using the configuration utility................149
To remove a signatures object by using the command line.....................150
Configuring or Modifying a Signatures Object........................................ 150
To configure or modify a signatures object...................................... 150
Updating a Signatures Object.........................................................153
Citrix NetScaler Application Security Guide
vii
To update the application firewall signatures from the source by using the
command line.....................................................................153
Updating a Signatures Object from a Citrix Format File.........................154
Updating a Signatures Object from a Supported Vulnerability Scanning Tool..155
Exporting a Signatures Object to a File...............................................156
To export a signatures object to a file............................................156
The Signatures Editor................................................................. 156
To add or modify a local signature rule by using the Signatures Editor.........156
To add a signature rule category.................................................158
Signature Rule Patterns..........................................................159
Advanced Protections.......................................................................164
Top-Level Advanced Protections......................................................165
HTML Cross-Site Scripting Check............................................... 166
HTML SQL Injection Check...................................................... 169
Buffer Overflow Check........................................................... 172
Cookie Consistency Check.......................................................173
Data Leak Prevention Checks.........................................................175
Credit Card Check................................................................175
Safe Object Check................................................................176
Advanced Form Protection Checks................................................... 178
Field Formats Check............................................................. 179
Form Field Consistency Check.................................................. 180
CSRF Form Tagging Check......................................................183
Deny URL Check.................................................................184
URL Protection Checks................................................................186
Start URL Check..................................................................186
Deny URL Check.................................................................188
XML Protection Checks................................................................189
XML Format Check...............................................................190
XML Denial-of-Service Check....................................................190
XML Cross-Site Scripting Check.................................................193
XML SQL Injection Check........................................................195
XML Attachment Check.......................................................... 197
Web Services Interoperability Check............................................ 197
XML Message Validation Check................................................. 198
XML SOAP Fault Filtering Check................................................ 199
Profiles...................................................................................... 200
Built-In Profiles.........................................................................200
User-Defined Profiles..................................................................200
Creating Application Firewall Profiles.................................................201
Contents
viii
To create an application firewall profile by using the command line interface..202
To create an application firewall profile by using the configuration utility.......202
Configuring Application Firewall Profiles..............................................203
To configure an application firewall profile by using the command line.........203
To configure an application firewall profile by using the configuration utility....204
Managing Content Types.........................................................205
Changing an Application Firewall Profile Type........................................209
To change an application firewall profile type by using the command line
interface...........................................................................210
To change an application firewall profile type by using the configuration
utility...............................................................................210
Exporting and Importing an Application Firewall Profile..............................210
To export an application firewall profile by using the command line interface..210
To export an application firewall profile by using the configuration utility....... 211
To import an application firewall profile by using the command line interface.. 211
Configuring and Using the Learning Feature......................................... 212
To configure the learning settings by using the command line interface........213
To reset learning settings to their defaults by using the command line
interface...........................................................................214
To display the learning settings for a profile by using the command line
interface...........................................................................214
To display unreviewed learned rules or relaxations for a profile by using the
command line interface...........................................................215
To remove specific unreviewed learned rules or relaxations from the
learning database by using the command line interface........................ 215
To remove all unreviewed learned data by using the command line interface. 215
To export learning data by using the command line interface...................215
To configure the Learning feature by using the configuration utility.............216
To review learned rules or relaxations by using the configuration utility........217
Supplemental Information about Profiles............................................. 218
Configuration Variable Support...................................................218
PCRE Character Encoding Format.............................................. 219
Inverted PCRE Expressions......................................................221
Disallowed Names for Application Firewall Profiles............................. 222
Policies...................................................................................... 223
Firewall Policies........................................................................224
Creating and Configuring Application Firewall Policies......................... 224
Binding Application Firewall Policies.............................................229
Viewing a Firewall Policy's Bindings.............................................231
Auditing Policies....................................................................... 231
Citrix NetScaler Application Security Guide
ix
To create an auditing server by using the command line interface............. 232
To modify or remove an auditing server by using the command line interface. 232
To create or configure an auditing server by using the configuration utility.....233
To create an auditing policy by using the command line interface..............233
To configure an auditing policy by using the command line interface...........234
To configure an auditing policy by using the configuration utility................234
Imports...................................................................................... 235
HTML Error Object.....................................................................235
XML Error Object...................................................................... 237
XML Schema...........................................................................237
WSDL.................................................................................. 237
Importing and Exporting Files......................................................... 237
To import a file by using the command line interface............................238
To import a file by using the configuration utility.................................238
To export a file by using the configuration utility.................................239
To edit an HTML or XML Error Object in the configuration utility............... 239
Global Configuration........................................................................240
Engine Settings........................................................................240
To configure engine settings by using the command line interface.............241
To configure engine settings by using the configuration utility.................. 242
Confidential Fields.....................................................................243
To add a confidential field by using the command line interface................244
To modify a confidential field by using the command line interface.............244
To remove a confidential field by using the command line interface............244
To configure a confidential field by using the configuration utility...............245
Field Types.............................................................................247
To add a field type by using the command line interface........................247
To modify a field type by using the command line interface.....................248
To remove a field type by using the command line interface....................248
To configure a field type by using the configuration utility.......................248
XML Content Types....................................................................249
To add an XML content type pattern by using the command line interface.....249
To remove an XML content type pattern by using the command line interface 250
To configure the XML content type list by using the configuration utility........250
JSON Content Types.................................................................. 251
To add a JSON content type pattern by using the command line interface.....251
To configure the JSON content type list by using the configuration utility...... 251
Logs, Statistics, and Reports............................................................... 252
The Application Firewall Logs.........................................................252
NetScaler Format Logs...........................................................252
Contents
x
Viewing the Application Firewall Logs........................................... 253
The Application Firewall Statistics.....................................................254
The Application Firewall Reports......................................................255
The PCI DSS Report............................................................. 255
The Application Firewall Configuration Report.................................. 256
Appendices..................................................................................256
PCRE Character Encoding Format................................................... 256
Whitehat WASC Signature Types for WAF Use...................................... 259
WASC 1.0 Signature Types...................................................... 259
WASC 2.0 Signature Types...................................................... 259
Best Practices.................................................................... 260
3 Content Filtering....................................................................................261
Enabling Content Filtering.................................................................. 262
To enable content filtering by using the command line interface.....................262
To enable content by filtering by using the configuration utility.......................263
Configuring a Content Filtering Action......................................................263
To configure a content filtering action by using the command line interface.........264
To configure a content filtering action by using the configuration utility..............264
Configuring a Content Filtering Policy......................................................265
To configure a content filtering policy by using the command line interface.........266
To configure a content filtering policy by using the configuration utility.............. 266
Binding a Content Filtering Policy.......................................................... 270
To bind a policy to a virtual server by using the command line interface............ 270
Example...........................................................................270
To globally bind a policy by using the command line interface.......................271
Example...........................................................................271
To bind a policy to a virtual server by using the configuration utility................. 271
To globally bind a policy by using the configuration utility............................271
Configuring Content Filtering for a Commonly Used Deployment Scenario.............. 272
To enable content filtering............................................................. 272
To configure the content filtering policy filter-CF-nimda.............................. 272
To globally bind the content filtering policy............................................273
To bind the content filtering policy to a virtual server................................. 273
To verify the content filtering configuration by using the command line interface... 274
To verify the content filtering configuration by using the configuration utility.........274
Troubleshooting.............................................................................275
Resources for Troubleshooting........................................................275
Troubleshooting Content Filtering Issues.............................................275
Citrix NetScaler Application Security Guide
xi
4 HTTP Denial-of-Service Protection................................................................277
Layer 3-4 SYN Denial-of-Service Protection...............................................279
Enabling HTTP DoS Protection.............................................................279
To enable HTTP DoS protection by using the command line interface.............. 279
To enable HTTP DoS protection by using the configuration utility................... 280
Defining an HTTP DoS Policy.............................................................. 280
To configure a HTTP DoS policy by using the command line interface..............281
To configure an HTTP DoS policy by using the configuration utility..................281
Configuring an HTTP DoS Service.........................................................282
To configure an HTTP DoS service by using the command line interface...........282
To configure an HTTP DoS service by using the configuration utility................ 283
Binding an HTTP DoS Monitor and Policy................................................. 284
To bind the monitor to the service by using the command line interface.............284
To bind the policy to the service by using the command line interface...............284
To bind the monitor and policy to the service by using the configuration utility......286
Tuning the Client Detection/JavaScript Challenge Response Rate.......................286
Guidelines for HTTP DoS Protection Deployment.........................................287
5 Priority Queuing.................................................................................... 289
Enabling Priority Queuing...................................................................291
To enable priority queuing by using the command line interface.....................291
To enable priority queuing by using the configuration utility..........................291
Configuring a Priority Queuing Policy...................................................... 292
To configure a priority queuing policy by using the command line interface.........292
To configure a priority queuing policy by using the configuration utility..............292
Binding a Priority Queuing Policy...........................................................294
To bind a priority queuing policy by using the command line interface.............. 294
To bind a priority queuing policy by using the configuration utility....................295
Setting Up Weighted Queuing..............................................................295
6 SureConnect........................................................................................ 297
Installing SureConnect......................................................................299
Installing on UNIX......................................................................299
To install SureConnect........................................................... 299
Installing on Windows................................................................. 300
To install SureConnect on Windows............................................. 300
Configuring SureConnect...................................................................300
Configuring the Response for Alternate Server Failure.............................. 301
Customizing the Default Response..............................................301
Contents
xii
SureConnect with In-Memory response (NS action)............................ 302
Configuring the SureConnect Policies................................................ 304
Configuring Exact URL Based Policies..........................................304
Configuring Wildcard Rule-Based Policies...................................... 305
Displaying the Configured SureConnect Policy................................. 306
Customizing the Alternate Content File...............................................306
Configuring SureConnect for Citrix NetScaler Features..............................308
Configuring SureConnect for Load Balancing...................................308
Configuring SureConnect for Cache Redirection................................308
Configuring SureConnect for High Availability...................................308
Activating SureConnect.....................................................................308
SureConnect Environments................................................................ 309
Primary and Alternate Servers........................................................ 309
Configuration Checklist................................................................310
To redirect the client to another URL.............................................311
Example Configurations............................................................... 312
Example 1 - SureConnect Progress Bar and Alternate Page .................. 312
Example 2 - SureConnect Progress Bar Only...................................313
Example 3 - SureConnect with Load Balancing.................................313
Example 4 - SureConnect with Load Balancing (ACS Action)..................314
Example 5 - SureConnect with Content Switching..............................314
7 Surge Protection....................................................................................317
Disabling and Reenabling Surge Protection............................................... 320
To disable or reenable surge protection by using the command line interface...... 320
To disable or reenable surge protection by using the configuration utility........... 321
To disable or reenable surge protection for a particular service by using the
configuration utility.....................................................................321
Setting Thresholds for Surge Protection................................................... 322
Flushing the Surge Queue..................................................................324
To flush a surge queue by using the command line interface........................325
Examples......................................................................... 326
To flush a surge queue by using the configuration utility............................. 326
Citrix NetScaler Application Security Guide
xiii
Contents
xiv
Chapter 1
AAA Application Traffic
Topics:
How AAA Works
Enabling AAA
Setting up AAA Virtual
Servers and DNS
Authentication Profile
Configuring Users and
Groups
Configuring AAA Policies
Session Settings
Traffic Settings
Authenticating with Client
Certificates
Configuring AAA with
Commonly Used Protocols
NetScaler Kerberos Single
Sign-On
SAML IdP
Many companies restrict web site access to valid users only,
and control the level of access permitted to each user. The
AAA feature allows a site administrator to manage access
controls with the NetScaler appliance instead of managing
these controls separately for each application. Doing
authentication on the appliance also permits sharing this
information across all web sites within the same domain that
are protected by the appliance.
The AAA feature supports authentication, authorization, and
auditing for all application traffic. To use AAA, you must
configure authentication virtual servers to handle the
authentication process and traffic management virtual servers
to handle the traffic to web applications that require
authentication. You also configure your DNS to assign FQDNs
to each virtual server. After configuring the virtual servers,
you configure a user account for each user that will
authenticate via the NetScaler appliance, and optionally you
create groups and assign user accounts to groups. After
creating user accounts and groups, you configure policies that
tell the appliance how to authenticate users, which resources
to allow users to access, and how to log user sessions. To put
the policies into effect, you bind each policy globally, to a
specific virtual server, or to the appropriate user accounts or
groups. After configuring your policies, you customize user
sessions by configuring session settings and binding your
session policies to the traffic management virtual server.
Finally, if your intranet uses client certs, you set up the client
certificate configuration.
Before configuring AAA, you should be familiar with and
understand how to configure load balancing, content
switching, and SSL on the NetScaler appliance.
15
How AAA Works
AAA provides security for a distributed Internet environment by allowing any client
with the proper credentials to connect securely to protected application servers from
anywhere on the Internet. This feature incorporates the three security features of
authentication, authorization, and auditing. Authentication enables the NetScaler ADC
to verify the client’s credentials, either locally or with a third-party authentication
server, and allow only approved users to access protected servers. Authorization
enables the ADC to verify which content on a protected server it should allow each user
to access. Auditing enables the ADC to keep a record of each user’s activity on a
protected server.
To understand how AAA works in a distributed environment, consider an organization
with an intranet that its employees access in the office, at home, and when traveling.
The content on the intranet is confidential and requires secure access. Any user who
wants to access the intranet must have a valid user name and password. To meet these
requirements, the ADC does the following:
wRedirects the user to the login page if the user accesses the intranet without having
logged in.
wCollects the user’s credentials, delivers them to the authentication server, and
caches them in a directory that is accessible through LDAP.
wVerifies that the user is authorized to access specific intranet content before
delivering the user’s request to the application server.
wMaintains a session timeout after which users must authenticate again to regain
access to the intranet. (You can configure the timeout.)
wLogs the user accesses, including invalid login attempts, in an audit log.
Authentication requires that several entities—the client, the NetScaler appliance, the
external authentication server if one is used, and the application server—respond to
each other when prompted by performing a complex series of tasks in the correct
order. If you are using an external authentication server, this process can be broken
down into the following fifteen steps.
wThe client sends a GET request for a URL on the application server.
wThe NetScaler appliance’s traffic management virtual server redirects the request to
the application server.
wThe application server determines that the client has not been authenticated, and
therefore sends an HTTP 200 OK response via the TM vserver to the client. The
response contains a hidden script that causes the client to issue a POST request
for /cgi/tm.
wThe client sends a POST request for /cgi/tm.
wThe NetScaler appliance’s authentication virtual server redirects the request to the
authentication server.
wThe authentication server creates an authentication session, sets and caches a
cookie that consists of the initial URL and the domain of the traffic management
Chapter 1 AAA Application Traffic
16
virtual server, and then sends an HTTP 302 response via the authentication virtual
server, redirecting the client to /vpn/index.html.
wThe client sends a GET request for /vpn/index.html.
wThe authentication virtual server redirects the client to the authentication server
login page.
wThe client sends a GET request for the login page, enters credentials, and then
sends a POST request with the credentials back to the login page.
wThe authentication virtual server redirects the POST request to the authentication
server.
wIf the credentials are correct, the authentication server tells the authentication
virtual server to log the client in and redirect the client to the URL that was in the
initial GET request.
wThe authentication virtual server logs the client in and sends an HTTP 302 response
that redirects the client to the initially requested URL.
wThe client sends a GET request for their initial URL.
wThe traffic management virtual server redirects the GET request to the application
server.
wThe application server responds via the traffic management virtual server with the
initial URL.
If you use local authentication, the process is similar, but the authentication virtual
server handles all authentication tasks instead of forwarding connections to an external
authentication server. The following figure illustrates the authentication process.
Figure 1-1. Authentication Process Traffic Flow
Citrix NetScaler Application Security Guide
17
When an authenticated client requests a resource, the ADC, before sending the request
to the application server, checks the user and group policies associated with the client
account, to verify that the client is authorized to access that resource. The ADC
handles all authorization on protected application servers. You do not need to do any
special configuration of your protected application servers.
AAA-TM handles password changes for users by using the protocol-specific method for
the authentication server. For most protocols, neither the user nor the administrator
needs to do anything different than they would without AAA-TM. Even when an LDAP
authentication server is in use, and that server is part of a distributed network of LDAP
servers with a single designated domain administration server, password changes are
usually handled seamlessly. When an authenticated client of an LDAP server changes his
or her password, the client sends a credential modify request to AAA-TM, which
forwards it to the LDAP server. If the user's LDAP server is also the domain
administration server, that server responds appropriately and AAA-TM then performs
the requested password change. Otherwise, the LDAP server sends AAA-TM an
LDAP_REFERRAL response to the domain administration server. AAA-TM follows the
referral to the indicated domain administration server, authenticates to that server,
and performs the password change on that server.
When configuring AAA-TM with an LDAP authentication server, the system administrator
must keep the following conditions and limitations in mind:
wAAA-TM assumes that the domain administration server in the referral accepts the
same bind credentials as the original server.
wAAA-TM only follows LDAP referrals for password change operations. In other cases
AAA-TM refuses to follow the referral.
wAAA-TM only follows one level of LDAP referrals. If the second LDAP server also
returns a referral, AAA-TM refuses to follow the second referral.
The ADC supports auditing of all states and status information, so you can see the
details of what each user did while logged on, in chronological order. To provide this
information, the appliance logs each event, as it occurs, either to a designated audit
log file on the appliance or to a syslog server. Auditing requires configuring the
appliance and any syslog server that you use.
Enabling AAA
To use the AAA - Application Traffic feature, you must enable it. You can configure AAA
entities—such as the authentication and traffic management virtual servers—before you
enable the AAA feature, but the entities will not function until the feature is enabled.
To enable AAA by using the command line interface
At the command prompt, type the following commands to enable AAA and verify the
configuration:
wenable ns feature AAA
wshow ns feature
Chapter 1 AAA Application Traffic
18
Example
> enable feature AAA
Done
> show ns feature
Feature
Acronym Status
-------
------- ------
1) Web Logging
WL OFF
2) Surge Protection
SP ON
.
.
.
15) AAA
AAA ON
.
.
.
23) HTML Injection
HTMLInjection ON
24) NetScaler Push
push OFF
Done
To enable AAA by using the configuration utility
1. Navigate to System > Settings.
2. In the details pane, under Modes and Features, click Change basic features.
3. In the Configure Basic Features dialog box, select the Authentication,
Authorization and Auditing check box.
4. Click OK.
Setting up AAA Virtual Servers and DNS
You can configure AAA by using the built-in wizard, or manually. To use the wizard, in
the main AAA pane of the configuration utility, you click AAA - Application Traffic
wizard and follow the prompts.
To configure AAA manually, you first configure an authentication virtual server, which
involves binding an SSL certificate-key pair. You then associate the authentication
virtual server with a new or existing traffic management virtual server. (Either a load
balancing virtual server or a content switching virtual server can serve as a traffic
management virtual server.) To complete the initial configuration, you configure DNS to
Citrix NetScaler Application Security Guide
19
assign hostnames to both the authentication virtual server and the traffic management
virtual server, and verify that your virtual servers are UP and configured correctly.
Caution: Both virtual servers must have hostnames in the same domain, or the
AAA configuration will not work.
Configuring the Authentication Virtual Server
To configure AAA, first configure an authentication virtual server to handle
authentication traffic. Next, bind an SSL certificate-key pair to the virtual server to
enable it to handle SSL connections.
To configure an authentication virtual server by using the
command line interface
To configure an authentication virtual server and verify the configuration, at the
command prompt type the following commands in the order shown:
wadd authentication vserver <name> ssl <ipaddress>
wshow authentication vserver <name>
wbind ssl certkey <certkeyName>
wshow authentication vserver <name>
wset authentication vserver <name> -authenticationDomain <FQDN>
wshow authentication vserver <name>
Example
> add authentication vserver Auth-Vserver-2 SSL
10.102.29.77 443
Done
> show authentication vserver Auth-Vserver-2
Auth-Vserver-2 (10.102.29.77:443) - SSL
Type: CONTENT
State: DOWN[Certkey not bound]
Client Idle Timeout: 180 sec
Down state flush: DISABLED
Disable Primary Vserver On Down : DISABLED
Authentication : ON
Current AAA Users: 0
Done
> bind ssl certkey Auth-Vserver-2 Auth-Cert-1
Done
> show authentication vserver Auth-Vserver-2
Auth-Vserver-2 (10.102.29.77:443) - SSL
Type: CONTENT
State: UP
Client Idle Timeout: 180 sec
Down state flush: DISABLED
Disable Primary Vserver On Down : DISABLED
Chapter 1 AAA Application Traffic
20
  • Page 1 1
  • Page 2 2
  • Page 3 3
  • Page 4 4
  • Page 5 5
  • Page 6 6
  • Page 7 7
  • Page 8 8
  • Page 9 9
  • Page 10 10
  • Page 11 11
  • Page 12 12
  • Page 13 13
  • Page 14 14
  • Page 15 15
  • Page 16 16
  • Page 17 17
  • Page 18 18
  • Page 19 19
  • Page 20 20
  • Page 21 21
  • Page 22 22
  • Page 23 23
  • Page 24 24
  • Page 25 25
  • Page 26 26
  • Page 27 27
  • Page 28 28
  • Page 29 29
  • Page 30 30
  • Page 31 31
  • Page 32 32
  • Page 33 33
  • Page 34 34
  • Page 35 35
  • Page 36 36
  • Page 37 37
  • Page 38 38
  • Page 39 39
  • Page 40 40
  • Page 41 41
  • Page 42 42
  • Page 43 43
  • Page 44 44
  • Page 45 45
  • Page 46 46
  • Page 47 47
  • Page 48 48
  • Page 49 49
  • Page 50 50
  • Page 51 51
  • Page 52 52
  • Page 53 53
  • Page 54 54
  • Page 55 55
  • Page 56 56
  • Page 57 57
  • Page 58 58
  • Page 59 59
  • Page 60 60
  • Page 61 61
  • Page 62 62
  • Page 63 63
  • Page 64 64
  • Page 65 65
  • Page 66 66
  • Page 67 67
  • Page 68 68
  • Page 69 69
  • Page 70 70
  • Page 71 71
  • Page 72 72
  • Page 73 73
  • Page 74 74
  • Page 75 75
  • Page 76 76
  • Page 77 77
  • Page 78 78
  • Page 79 79
  • Page 80 80
  • Page 81 81
  • Page 82 82
  • Page 83 83
  • Page 84 84
  • Page 85 85
  • Page 86 86
  • Page 87 87
  • Page 88 88
  • Page 89 89
  • Page 90 90
  • Page 91 91
  • Page 92 92
  • Page 93 93
  • Page 94 94
  • Page 95 95
  • Page 96 96
  • Page 97 97
  • Page 98 98
  • Page 99 99
  • Page 100 100
  • Page 101 101
  • Page 102 102
  • Page 103 103
  • Page 104 104
  • Page 105 105
  • Page 106 106
  • Page 107 107
  • Page 108 108
  • Page 109 109
  • Page 110 110
  • Page 111 111
  • Page 112 112
  • Page 113 113
  • Page 114 114
  • Page 115 115
  • Page 116 116
  • Page 117 117
  • Page 118 118
  • Page 119 119
  • Page 120 120
  • Page 121 121
  • Page 122 122
  • Page 123 123
  • Page 124 124
  • Page 125 125
  • Page 126 126
  • Page 127 127
  • Page 128 128
  • Page 129 129
  • Page 130 130
  • Page 131 131
  • Page 132 132
  • Page 133 133
  • Page 134 134
  • Page 135 135
  • Page 136 136
  • Page 137 137
  • Page 138 138
  • Page 139 139
  • Page 140 140
  • Page 141 141
  • Page 142 142
  • Page 143 143
  • Page 144 144
  • Page 145 145
  • Page 146 146
  • Page 147 147
  • Page 148 148
  • Page 149 149
  • Page 150 150
  • Page 151 151
  • Page 152 152
  • Page 153 153
  • Page 154 154
  • Page 155 155
  • Page 156 156
  • Page 157 157
  • Page 158 158
  • Page 159 159
  • Page 160 160
  • Page 161 161
  • Page 162 162
  • Page 163 163
  • Page 164 164
  • Page 165 165
  • Page 166 166
  • Page 167 167
  • Page 168 168
  • Page 169 169
  • Page 170 170
  • Page 171 171
  • Page 172 172
  • Page 173 173
  • Page 174 174
  • Page 175 175
  • Page 176 176
  • Page 177 177
  • Page 178 178
  • Page 179 179
  • Page 180 180
  • Page 181 181
  • Page 182 182
  • Page 183 183
  • Page 184 184
  • Page 185 185
  • Page 186 186
  • Page 187 187
  • Page 188 188
  • Page 189 189
  • Page 190 190
  • Page 191 191
  • Page 192 192
  • Page 193 193
  • Page 194 194
  • Page 195 195
  • Page 196 196
  • Page 197 197
  • Page 198 198
  • Page 199 199
  • Page 200 200
  • Page 201 201
  • Page 202 202
  • Page 203 203
  • Page 204 204
  • Page 205 205
  • Page 206 206
  • Page 207 207
  • Page 208 208
  • Page 209 209
  • Page 210 210
  • Page 211 211
  • Page 212 212
  • Page 213 213
  • Page 214 214
  • Page 215 215
  • Page 216 216
  • Page 217 217
  • Page 218 218
  • Page 219 219
  • Page 220 220
  • Page 221 221
  • Page 222 222
  • Page 223 223
  • Page 224 224
  • Page 225 225
  • Page 226 226
  • Page 227 227
  • Page 228 228
  • Page 229 229
  • Page 230 230
  • Page 231 231
  • Page 232 232
  • Page 233 233
  • Page 234 234
  • Page 235 235
  • Page 236 236
  • Page 237 237
  • Page 238 238
  • Page 239 239
  • Page 240 240
  • Page 241 241
  • Page 242 242
  • Page 243 243
  • Page 244 244
  • Page 245 245
  • Page 246 246
  • Page 247 247
  • Page 248 248
  • Page 249 249
  • Page 250 250
  • Page 251 251
  • Page 252 252
  • Page 253 253
  • Page 254 254
  • Page 255 255
  • Page 256 256
  • Page 257 257
  • Page 258 258
  • Page 259 259
  • Page 260 260
  • Page 261 261
  • Page 262 262
  • Page 263 263
  • Page 264 264
  • Page 265 265
  • Page 266 266
  • Page 267 267
  • Page 268 268
  • Page 269 269
  • Page 270 270
  • Page 271 271
  • Page 272 272
  • Page 273 273
  • Page 274 274
  • Page 275 275
  • Page 276 276
  • Page 277 277
  • Page 278 278
  • Page 279 279
  • Page 280 280
  • Page 281 281
  • Page 282 282
  • Page 283 283
  • Page 284 284
  • Page 285 285
  • Page 286 286
  • Page 287 287
  • Page 288 288
  • Page 289 289
  • Page 290 290
  • Page 291 291
  • Page 292 292
  • Page 293 293
  • Page 294 294
  • Page 295 295
  • Page 296 296
  • Page 297 297
  • Page 298 298
  • Page 299 299
  • Page 300 300
  • Page 301 301
  • Page 302 302
  • Page 303 303
  • Page 304 304
  • Page 305 305
  • Page 306 306
  • Page 307 307
  • Page 308 308
  • Page 309 309
  • Page 310 310
  • Page 311 311
  • Page 312 312
  • Page 313 313
  • Page 314 314
  • Page 315 315
  • Page 316 316
  • Page 317 317
  • Page 318 318
  • Page 319 319
  • Page 320 320
  • Page 321 321
  • Page 322 322
  • Page 323 323
  • Page 324 324
  • Page 325 325
  • Page 326 326

Cisco Citrix NetScaler 1000V User guide

Category
Software
Type
User guide

Ask a question and I''ll find the answer in the document

Finding information in a document is now easier with AI