SSL policy binding
You can bind SSL policies globally or to an SSL type virtual server only. Globally bound policies are evaluated after all policies bound to services, virtual servers, or other NetScaler bind points are evaluated. If the incoming data matches any of the rules configured in the SSL policy, the policy is triggered, and the action associated with it is carried out.
When binding an SSL policy to a virtual server, you must select from one of the following bind points:
-
REQUEST (Default bind point. Policy evaluation is done in the HTTP layer after the SSL handshake is completed.)
-
INTERCEPT_REQ (This option applies to a Citrix Secure Web Gateway setup. For more information, see SSL policy infrastructure for SSL interception).
-
CLIENTHELLO_REQ
Similarly, when unbinding a policy from a virtual server, you must specify the bind point.
If you specify CLIENTHELLO_REQ as the bind point, the policy is evaluated when a client hello message is received. The allowed actions are RESET, FORWARD, and caCertGrpName
. The reset action terminates the connection. The forward action forwards the request to a load balancing virtual server for processing. The caCertGrpName
action selectively picks CAs based on SNI for client authentication. For more information about SSL actions, see SSL built-in actions and user-defined actions.
Notes:
- The action caCertGrpName is not supported with the TLS 1.3 protocol.
The SSL offloading process stores the information needed to evaluate SSL related expressions or rules during the SSL handshake, based on the configured settings.
For example, if the deployment contains both a content switching virtual server and a SSL load balancing virtual server, then the information (client versions, ciphers, client certificate, and so on) is stored based on the SSL settings during SSL offloading. This SSL setting is applicable for future rule or expression assessment. This example is applicable if SSL offloading happens at the content switching virtual server.
Bind an SSL policy globally by using the CLI
At the command prompt, type the following command to bind a global SSL policy and verify the configuration:
bind ssl global - policyName <string> [- priority <positive_integer>]
show ssl global
<!--NeedCopy-->
Example:
bind ssl global -policyName Policy-SSL-2 -priority 90
Done
sh ssl global
1) Name: Policy-SSL-2 Priority: 90
2) Name: Policy-SSL-1 Priority: 100
Done
<!--NeedCopy-->
Bind an SSL policy globally by using the GUI
- Navigate to Traffic Management > SSL > Policies.
- In the details pane, click Global Bindings.
- In the Bind/Unbind SSL Policies to Global dialog box, click Insert Policy.
- In the Policy Name list, select a policy.
- Optionally, drag the entry to a new position in the policy bank to automatically update the priority level.
- Click OK. A message appears in the status bar, stating that the policy has been bound successfully.
Bind or unbind an SSL policy to a virtual server by using the CLI
At the command prompt, type the following command to bind an SSL policy to a virtual server and verify the configuration:
bind ssl vserver <vServerName> -policyName <string> -priority <positive_integer> -type <type>
unbind ssl vserver <vServerName> -policyName <string> -priority <positive_integer> -type <type>
<!--NeedCopy-->
Example:
bind ssl vserver v1 -policyName pol1 -priority 1 -type CLIENTHELLO_REQ
<!--NeedCopy-->
unbind ssl vserver v1 -policyName pol1 -priority 1 -type CLIENTHELLO_REQ
<!--NeedCopy-->
show ssl vserver vs-server
Advanced SSL configuration for VServer vs-server:
DH: DISABLED
Ephemeral RSA: ENABLED Refresh Count: 1000
Session Reuse: ENABLED Timeout: 120 seconds
Cipher Redirect: DISABLED
SSLv2 Redirect: DISABLED
ClearText Port: 80
Client Auth: DISABLED
SSL Redirect: ENABLED
SSL-REDIRECT Port Rewrite: ENABLED
Non FIPS Ciphers: DISABLED
SSLv2: DISABLED SSLv3: ENABLED TLSv1: ENABLED
1) Policy Name: ssl-policy-1 Priority: 10
1) Cipher Name: DEFAULT
Description: Predefined Cipher Alias
Done
<!--NeedCopy-->
Bind an SSL policy to a virtual server by using the GUI
- Navigate to Traffic Management > Load Balancing > Virtual Servers, and open an SSL virtual server.
- In Advanced Settings, select SSL Policy. Click in the SSL policy section to bind a policy to the virtual server.
- In the Policy Binding page, select an existing policy or add a new policy.
- Specify priority and type (bind point) for the policy.
- Select Bind.
- Select Done.