Jump to content


Photo

SSL VDA Access through Netscaler

Started by Michael Ryan , 24 June 2016 - 03:58 AM
3 replies to this topic

Michael Ryan Members

Michael Ryan
  • 4 posts

Posted 24 June 2016 - 03:58 AM

Hi All,

 

I've been looking into this for a few days but can't seem to find a clear cut answer, hoping someone may shed some light here for me. 

 

I have a request to configure SSL onto a test VDA Delivery Group. This delivery group works fine through the netscaler pre-ssl configuration. I've installed the certificate, run the powershell command, enabled HDXSSL on the delivery group and can access internally via StoreFront with no issues.

 

The delivery controller also has been secured as well.

 

I've just checked and can confirm that 443 is not available from the SNIP to the VDA's that have just been setup with SSL. My understanding is that now we will need to send off to the firewall team to have 443 available from SNIP -> VDA's to ensure access. With this being enabled, is 1494 and 2598 no longer required from SNIP -> VDA, or are they still required? Even after running the powershell command I can telnet from the same network segment to 

 

I saw in the Citrix Security Blog that the VDA certificate will need to be trusted by the end user connecting. Is this negated by the Netscaler or must the external client trust the certificate on the VDA itself, not just the Netscaler certificate?

 

Hoping someone who has implemented this can provide clarity. Network changes require approval and a few days to be processed, I am working to ensure what I have is correct.

 

Thanks,

 

Michael 



Martijn Kools Members

Martijn Kools
  • 426 posts

Posted 24 June 2016 - 10:35 AM

There is no reason to configure SSL on your VDAs when you're using Netscaler since the ICA traffic will be encrypted then anyway.

 

If you just want to secure your STA traffic just add SSL certificates to your delivery controllers (use a domain certificate) add the root certificate of your internal CA to your Netscaler and then configure your virtual server to e.g. https://ddc01.domain.local. There is no need to enable SSL on your VDA to achieve this.

 

There are only two situations when you should enable SSL on your VDA: If you want to use HTML5 receiver over SSL without going through Netscaler or if you want to encrypt all internal ICA traffic without routing the internal traffic through Netscaler.

 

And btw securing STA traffic over SSL has nothing to do with ICA traffic over 1494/2598 so yes these ports still need to remain open.



Aaron Curtis Members

Aaron Curtis
  • 15 posts

Posted 20 April 2017 - 04:24 AM

did you ever find an answer for this?

 

I enabled SSL to a test VDA and delivery group today, worked fine from storefront, but then net netscaler access stopped working.

 

Doing this because we want to be able to use the html5 receiver but don't want to force all connections through the netscaler.

 

I'm using an internal cert authority.  not sure if the netscaler has to be configured in a specific way for this to work.



Kishore Kunisetty Citrix Employees

Kishore Kunisetty
  • 420 posts

Posted 20 April 2017 - 09:24 PM

did you ever find an answer for this?

 

I enabled SSL to a test VDA and delivery group today, worked fine from storefront, but then net netscaler access stopped working.

 

Doing this because we want to be able to use the html5 receiver but don't want to force all connections through the netscaler.

 

I'm using an internal cert authority.  not sure if the netscaler has to be configured in a specific way for this to work.

 

Could you please clarify -Netscaler, VDA, HTMLReceiver versions in your setup.

 

What is the error you are seeing when launching the session via window receiver?

 

What browser you are using to launch the session via Netscaler using HTMLReceiver?

 

When the session connection fails, do you see any event in the VDA machine with in system event log?

 

Thanks

Kishore