SSL VPN Deployment Guide: A Step-by-Step Technical Guide
SSL VPN Deployment Guide: A Step-by-Step Technical Guide
SSL VPN Deployment Guide: A Step-by-Step Technical Guide
Deployment Guide
A Step-by-Step Technical Guide
Deployment Guide
Deployment Guide
Notice:
The information in this publication is subject to change without notice.
THIS PUBLICATION IS PROVIDED AS IS WITHOUT WARRANTIES OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE OR NONINFRINGEMENT. CITRIX SYSTEMS, INC. (CITRIX), SHALL NOT BE LIABLE FOR
TECHNICAL OR EDITORIAL ERRORS OR OMISSIONS CONTAINED HEREIN, NOR FOR DIRECT,
INCIDENTAL, CONSEQUENTIAL OR ANY OTHER DAMAGES RESULTING FROM THE FURNISHING,
PERFORMANCE, OR USE OF THIS PUBLICATION, EVEN IF CITRIX HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES IN ADVANCE.
This publication contains information protected by copyright. Except for internal distribution, no part
of this publication may be photocopied or reproduced in any form without prior written consent from
Citrix.
The exclusive warranty for Citrix products, if any, is stated in the product documentation accompanying
such products. Citrix does not warrant products other than its own.
Product names mentioned herein may be trademarks and/or registered trademarks of their respective
companies.
Copyright 2007 Citrix Systems, Inc., 851 West Cypress Creek Road, Ft. Lauderdale, Florida 33309-
2009 U.S.A. All rights reserved.
Table of Contents
Introduction ..........................................................................................................................................4
Solution Requirements ..........................................................................................................................5
Prerequisites .........................................................................................................................................5
Network Diagram .................................................................................................................................6
First time connectivity ...........................................................................................................................7
Serial Connection ............................................................................................................................7
Ethernet Connection ........................................................................................................................7
NetScaler Conguration ........................................................................................................................8
Deployment Model: Netscaler High Availability, Two-Arm Mode, SSL VPN .......................................8
Important Considerations for NetScaler High Availability ...................................................................9
High Availability Command Synchronization ...................................................................................12
Important NetScaler IP Addresses .................................................................................................13
IP Addresses, Interfaces and VLANs ..............................................................................................14
SSL Keys & Certicates ......................................................................................................................16
Obtaining Keys and Certicates .....................................................................................................16
Using the SSL Certicate Wizard ...................................................................................................16
SSL VPN Conguration ......................................................................................................................20
SSL VPN Wizard ............................................................................................................................20
Accessing the SSL VPN .....................................................................................................................23
Importing SSL Certicates .............................................................................................................23
Testing the SSL VPN ......................................................................................................................23
Things you need to know ...................................................................................................................25
SSL VPN Polices ................................................................................................................................26
Step-by-Step SSL VPN policy creation ..........................................................................................27
Appendix A - NetScaler Application Switch Conguration ...................................................................32
4
Introduction
Citrix NetScaler optimizes the delivery of web applications increasing security and improving
performance and Web server capacity. This approach ensures the best total cost of ownership (TCO),
security, availability, and performance for Web applications. The Citrix NetScaler solution is a comprehensive
network system that combines high-speed load balancing and content switching with state-of-the-art
application acceleration, layer 4-7 trafc management, data compression, dynamic content caching,
SSL acceleration, network optimization, and robust application security into a single, tightly integrated
solution. Deployed in front of application servers, the system signicantly reduces processing overhead
on application and database servers, reducing hardware and bandwidth costs.
Citrix Access Gateway is the only SSL VPN to securely deliver any application with policy-based
SmartAccess control. Users will have easy-to-use secure access to all of the enterprise applications
and data they need to be productive and IT can cost effectively extend access to applications while
maintaining security through SmartAccess application-level policies. With Access Gateway organizations
are empowered to cost effectively meet the anywhere access demands of all workers enabling exible
work options, easier outsourcing and non-employee access, and business continuity readiness while
ensuring the highest-level of information security.
This deployment guide walks through the step-by-step conguration details of how to congure the Citrix
NetScaler for use as a SSL VPN gateway.
5
Solution Requirements
SSL VPN for all applications
Agentless connectivity, and Agent based connectivity
Split-Tunneling without network conicts
User/Group Restrictions to specic VLANs and IP Addresses
Prerequisites
Citrix NetScaler L4/7 Application Switch, running version 8.0+, (Quantity x 1 for single deployment,
Quantity x 2 for HA deployment).
Layer 2/3 switches, w/support for 802.1q Tagging & Trunking, (Quantity x 1)
Client laptop/workstation running Internet Explorer 6.0+.
First time connectivity
Serial Connection
The NetScaler can be accessed by the serial port through any
terminal emulation program. Windows Hyperterm is commonly
used on a laptop or workstation. Connect a 9-pin Null Modem
cable from the computer to the NetScalers console port. In the
terminal emulation program congure the settings for 9600 baud,
No stop bits, 8 data bits, and 1 parity bit. The login prompt should
appear. The default login is nsroot, nsroot. It is advisable to change
the nsroot password once connected.
Once connected type in the CLI command congns (nscong if
at the shell prompt). Select option 1 to change the NetScaler IP
Address and Network Mask. Exit, save and reboot.
Ethernet Connection
The NetScaler can also be accessed by the default IP Address
of 192.168.100.1, either through an http, https, telnet or ssh
connection. Once connected, the login prompt should appear.
The default login is nsroot, nsroot. It is advisable to change the
nsroot password once connected.
Type in the CLI command congns (nscong if at the shell
prompt). Select option 1 to change the NetScaler IP Address and
Network Mask. Exit, save and reboot.
Note: Changing the NetScaler IP Address always requires a
reboot.
8
NetScaler Conguration
Deployment Model: Netscaler High Availability, Two-Arm Mode, SSL VPN
The NetScaler SSL VPNs in this example will be deployed as a high availability pair, in two-arm mode.
Always start with the rst NetScaler. The NetScalers in Two-Arm mode provide the utmost is site
security, as they provide a full reverse-proxy gateway to intercept incoming trafc before it is sent to the
Applications on the backend. Once the initial NetScaler IP Address (NSIP) has been congured, you can
connect to both the Primary and Secondary NetScalers via a http or https web browser connection.
Connect to the NetScaler
via the NSIP using a web
browser.
In this example:
NS1: http://10.217.104.51
NS2: http://10.217.104.52
Note: Java will be installed.
Default login is: nsroot,
nsroot.
Ethernet
1.
9
In a High Availability deployment, one Application Switch actively accepts connections and manages
servers, while the second monitors the rst. If the rst Application Switch quits accepting connections for
any reason, the second Application Switch takes over and begins actively accepting connections. This
prevents downtime and ensures that the services provided by the Application Switch will remain available
even if one Application Switch ceases to function.
Important Considerations for NetScaler High Availability
The passwords for both NetScalers nsroot account must match. You must change these manually
on the switches, they are not synchronized.
The maximum node ID for Application Switches in an HA pair is 64.
Both NetScaler HA peers must be running the same version of code.
The conguration les in ns.conf must match on both NetScalers. For this to happen, the following
must occur:
The primary and secondary NetScaler Application switches must be congured with their own
unique NSIPs.
The node id and IP Address of one Application switch must point to the other Application
switch (its HA peer).
You must congure RPC node passwords onto both Applicaiton switches. Initially, all
Application Switches are congured with the same RPC node password. To enhance security,
you should change these default RPC node passwords.