SSL policy binding

You can bind SSL policies globally or to an SSL type virtual server only. Globally bound policies are evaluated after all policies bound to services, virtual servers, or other NetScaler bind points are evaluated. If the incoming data matches any of the rules configured in the SSL policy, the policy is triggered, and the action associated with it is carried out.

When binding an SSL policy to a virtual server, you must select from one of the following bind points:

  • REQUEST (Default bind point. Policy evaluation is done in the HTTP layer after the SSL handshake is completed.)

  • INTERCEPT_REQ (This option applies to a Citrix Secure Web Gateway setup. For more information, see SSL policy infrastructure for SSL interception).

  • CLIENTHELLO_REQ

Similarly, when unbinding a policy from a virtual server, you must specify the bind point.

If you specify CLIENTHELLO_REQ as the bind point, the policy is evaluated when a client hello message is received. The allowed actions are RESET, FORWARD, and caCertGrpName. The reset action terminates the connection. The forward action forwards the request to a load balancing virtual server for processing. The caCertGrpName action selectively picks CAs based on SNI for client authentication. For more information about SSL actions, see SSL built-in actions and user-defined actions.

Note: The action caCertGrpName is not supported with the TLS 1.3 protocol.

Bind an SSL policy globally by using the CLI

At the command prompt, type the following command to bind a global SSL policy and verify the configuration:

bind ssl global - policyName <string> [- priority <positive_integer>]
show ssl global
<!--NeedCopy-->

Example:

bind ssl global -policyName Policy-SSL-2 -priority 90
Done

sh ssl global

     1) Name: Policy-SSL-2 Priority: 90
     2) Name: Policy-SSL-1 Priority: 100
     Done
<!--NeedCopy-->

Bind an SSL policy globally by using the GUI

  1. Navigate to Traffic Management > SSL > Policies.
  2. In the details pane, click Global Bindings.
  3. In the Bind/Unbind SSL Policies to Global dialog box, click Insert Policy.
  4. In the Policy Name list, select a policy.
  5. Optionally, drag the entry to a new position in the policy bank to automatically update the priority level.
  6. Click OK. A message appears in the status bar, stating that the policy has been bound successfully.

Bind or unbind an SSL policy to a virtual server by using the CLI

At the command prompt, type the following command to bind an SSL policy to a virtual server and verify the configuration:

bind ssl vserver <vServerName> -policyName <string> -priority <positive_integer> -type <type>

unbind ssl vserver <vServerName> -policyName <string> -priority <positive_integer> -type <type>

<!--NeedCopy-->

Example:

bind ssl vserver v1 -policyName pol1 -priority 1 -type CLIENTHELLO_REQ
<!--NeedCopy-->
unbind ssl vserver v1 -policyName pol1 -priority 1 -type CLIENTHELLO_REQ
<!--NeedCopy-->
show ssl vserver vs-server

Advanced SSL configuration for VServer vs-server:

DH: DISABLED

Ephemeral RSA: ENABLED          Refresh Count: 1000

Session Reuse: ENABLED          Timeout: 120 seconds

Cipher Redirect: DISABLED

SSLv2 Redirect: DISABLED

ClearText Port: 80

Client Auth: DISABLED

SSL Redirect: ENABLED

SSL-REDIRECT Port Rewrite: ENABLED

Non FIPS Ciphers: DISABLED

SSLv2: DISABLED SSLv3: ENABLED  TLSv1: ENABLED

1)      Policy Name: ssl-policy-1        Priority: 10

1)      Cipher Name: DEFAULT

            Description: Predefined Cipher Alias

Done
<!--NeedCopy-->

Bind an SSL policy to a virtual server by using the GUI

  1. Navigate to Traffic Management > Load Balancing > Virtual Servers, and open an SSL virtual server.
  2. In Advanced Settings, select SSL Policy. Click in the SSL policy section to bind a policy to the virtual server.
  3. In the Policy Binding page, select an existing policy or add a new policy.
  4. Specify priority and type (bind point) for the policy.
  5. Select Bind.
  6. Select Done.
SSL policy binding