NetScaler can be configured for SSL offloading with end-to-end encryption, in which the NetScaler will re-encrypt the clear text data and use secure SSL sessions to communicate with the back-end web servers.
Configure the back-end SSL transactions so that the appliance uses SSL session multiplexing to reuse existing SSL sessions with the back-end web servers. It helps in avoiding CPU-intensive key exchange (full handshake) operations and also reduces the overall number of SSL sessions on the server. As a result, it accelerates the SSL transaction while maintaining end-to-end security.
Following are the steps to configure an end-to-end encryption deployment :
- Create SSL services
- Create an SSL virtual server
- Add a certificate-key pair
- Bind the certificate-key pair to the SSL virtual server
- Bind the services to the SSL virtual server
Above procedural steps can be reduced to a single declarative file containing the desired state of NetScaler.
Below is a terraform resource file that can configure end to end SSL offloading.
resource "citrixadc_service" "service1" { servicetype = var.service1_servicetype name = var.service1_name ipaddress = var.service1_ip ip = var.service1_ip port = var.service1_port}resource "citrixadc_service" "service2" { servicetype = var.service2_servicetype name = var.service2_name ipaddress = var.service2_ip ip = var.service2_ip port = var.service1_port}resource "citrixadc_lbvserver" "production_lb" { depends_on = [citrixadc_sslparameter.defaultprofile] name = var.production_lb_name ipv46 = var.production_lb_ip port = "443" servicetype = "SSL" ciphers = ["DEFAULT"] sslprofile = "ns_default_ssl_profile_secure_frontend"}resource "citrixadc_systemfile" "sslcert_copy" { filename = "sslcert.pem" filelocation = "/var/tmp" filecontent = file(var.ssl_certificate_path)}resource "citrixadc_systemfile" "sslkey_copy" { filename = "sslkey.ky" filelocation = "/var/tmp" filecontent = file(var.ssl_key_path)}resource "citrixadc_sslcertkey" "sslcertkey1" { depends_on = [citrixadc_sslcertkey.sslcacert] certkey = var.ssl_certkey_name cert = format("%s/%s", citrixadc_systemfile.sslcert_copy.filelocation, citrixadc_systemfile.sslcert_copy.filename) key = format("%s/%s", citrixadc_systemfile.sslkey_copy.filelocation, citrixadc_systemfile.sslkey_copy.filename) linkcertkeyname = var.ssl_cacert_name}resource "citrixadc_sslvserver_sslcertkey_binding" "sslvserver_sslcertkey_bind" { vservername = citrixadc_lbvserver.production_lb.name certkeyname = citrixadc_sslcertkey.sslcertkey1.certkey}resource "citrixadc_lbvserver_service_binding" "lbvserver_sslservice1_bind" { name = citrixadc_lbvserver.production_lb.name servicename = citrixadc_service.service1.name}resource "citrixadc_lbvserver_service_binding" "lbvserver_sslservice2_bind" { name = citrixadc_lbvserver.production_lb.name servicename = citrixadc_service.service2.name}resource "citrixadc_sslparameter" "defaultprofile" { defaultprofile = "ENABLED"}resource "citrixadc_systemfile" "ssl_cacert_copy" { filename = "cacert.crt" filelocation = "/var/tmp" filecontent = file(var.ssl_cacert_path)}resource "citrixadc_sslcertkey" "sslcacert" { certkey = var.ssl_cacert_name cert = format("%s/%s", citrixadc_systemfile.ssl_cacert_copy.filelocation, citrixadc_systemfile.ssl_cacert_copy.filename)}
You just need to provide values in tfvars file as here and run
terraform-apply
to configure end to end.
Post configuration, you can send HTTPS request at VIP to validate SSL traffic. Additionally, you provide the domain name in Qualys and ensure that your backend servers are A+ certified.
Learn more above SSL offloading capabilities in NetScaler here and you can find Terraform example here .
Recommended Comments
There are no comments to display.
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now