SSL profile
An SSL profile is a collection of SSL settings, such as ciphers and protocols. A profile is helpful if you have common settings for different servers. Instead of specifying the same settings for each server, you can create a profile, specify the settings in the profile, and then bind the profile to different servers. If a custom front-end SSL profile is not created, the default front-end profile is bound to client-side entities. This profile enables you to configure settings for managing the client-side connections. For SSL interception, you must create an SSL profile and enable SSL interception (SSLi) in the profile. A default cipher group is bound to this profile, but you can configure more ciphers to suit your deployment. You must bind an SSLi CA certificate to this profile and then bind the profile to a proxy server. For SSL interception, the essential parameters in a profile are the ones used to check the OCSP status of the origin server certificate, trigger client renegotiation if the origin server requests renegotiation, and verify the origin server certificate before reusing the front-end SSL session. You must use the default backend profile when communicating with the origin servers. Set any server-side parameters, such as cipher suites, in the default backend profile. A custom back-end profile is not supported.
For examples of the most commonly used SSL settings, see “Sample Profile” at the end of this section.
Cipher/protocol support differs on the internal and external network. In the following tables, the connection between the users and an SWG appliance is the internal network. The external network is between the appliance and the internet.
Table 1: Cipher/protocol support matrix for the internal network
| (Cipher/protocol)/Platform | MPX (N3)* | VPX |
|---|---|---|
| TLS 1.1/1.2 | 12.1 | 12.1 |
| ECDHE/DHE(Example TLS1-ECDHE-RSA-AES128-SHA) | 12.1 | 12.1 |
| AES-GCM(Example TLS1.2-AES128-GCM-SHA256) | 12.1 | 12.1 |
| SHA-2 Ciphers(Example TLS1.2-AES-128-SHA256) | 12.1 | 12.1 |
| ECDSA(Example TLS1-ECDHE-ECDSA-AES256-SHA) | 12.1 | 12.1 |
Table 2: Cipher/protocol support matrix for the external network
| (Cipher/protocol)/Platform | MPX (N3)* | VPX |
|---|---|---|
| TLS 1.1/1.2 | 12.1 | 12.1 |
| ECDHE/DHE(Example TLS1-ECDHE-RSA-AES128-SHA) | 12.1 | 12.1 |
| AES-GCM(Example TLS1.2-AES128-GCM-SHA256) | 12.1 | 12.1 |
| SHA-2 Ciphers(Example TLS1.2-AES-128-SHA256) | 12.1 | 12.1 |
| ECDSA(Example TLS1-ECDHE-ECDSA-AES256-SHA) | 12.1 | Not supported |
* Use the sh hardware (show hardware) command to identify whether your appliance has N3 chips.
Example:
sh hardware
Platform: NSMPX-22000 16*CPU+24*IX+12*E1K+2*E1K+4*CVM N3 2200100
Manufactured on: 8/19/2013
CPU: 2900MHZ
Host Id: 1006665862
Serial no: ENUK6298FT
Encoded serial no: ENUK6298FT
Done
Add an SSL profile and enable SSL interception by using the Citrix SWG CLI
At the command prompt, type:
add ssl profile <name> -sslinterception ENABLED -ssliReneg ( ENABLED | DISABLED ) -ssliOCSPCheck ( ENABLED | DISABLED ) -ssliMaxSessPerServer <positive_integer>
Arguments:
sslInterception:
Enable or disable interception of SSL sessions.
Possible values: ENABLED, DISABLED
Default value: DISABLED
ssliReneg:
Enable or disable triggering client renegotiation when a renegotiation request is received from the origin server.
Possible values: ENABLED, DISABLED
Default value: ENABLED
ssliOCSPCheck:
Enable or disable OCSP check for an origin-server certificate.
Possible values: ENABLED, DISABLED
Default value: ENABLED
ssliMaxSessPerServer:
Maximum number of SSL sessions to be cached per dynamic origin server. A unique SSL session is created for each SNI extension received from the client in a client hello message. The matching session is used for server-session reuse.
Default value: 10
Minimum value: 1
Maximum value: 1000
Example:
add ssl profile swg_ssl_profile -sslinterception ENABLED
Done
sh ssl profile swg_ssl_profile
1) Name: swg_ssl_profile (Front-End)
SSLv3: DISABLED TLSv1.0: ENABLED TLSv1.1: ENABLED TLSv1.2: ENABLED
Client Auth: DISABLED
Use only bound CA certificates: DISABLED
Strict CA checks: NO
Session Reuse: ENABLED Timeout: 120 seconds
DH: DISABLED
DH Private-Key Exponent Size Limit: DISABLED Ephemeral RSA: ENABLED Refresh Count: 0
Deny SSL Renegotiation ALL
Non FIPS Ciphers: DISABLED
Cipher Redirect: DISABLED
SSL Redirect: DISABLED
Send Close-Notify: YES
Strict Sig-Digest Check: DISABLED
Push Encryption Trigger: Always
PUSH encryption trigger timeout: 1 ms
SNI: DISABLED
OCSP Stapling: DISABLED
Strict Host Header check for SNI enabled SSL sessions: NO
Push flag: 0x0 (Auto)
SSL quantum size: 8 kB
Encryption trigger timeout 100 mS
Encryption trigger packet count: 45
Subject/Issuer Name Insertion Format: Unicode
SSL Interception: ENABLED
SSL Interception OCSP Check: ENABLED
SSL Interception End to End Renegotiation: ENABLED
SSL Interception Server Cert Verification for Client Reuse: ENABLED
SSL Interception Maximum Reuse Sessions per Server: 10
Session Ticket: DISABLED Session Ticket Lifetime: 300 (secs)
HSTS: DISABLED
HSTS IncludeSubDomains: NO
HSTS Max-Age: 0
ECC Curve: P_256, P_384, P_224, P_521
1) Cipher Name: DEFAULT Priority :1
Description: Predefined Cipher Alias
Done
Bind an SSL interception CA certificate to an SSL profle by using the Citrix SWG CLI
At the command prompt, type:
bind ssl profile <name> -ssliCACertkey <ssli-ca-cert >
Example:
bind ssl profile swg_ssl_profile -ssliCACertkey swg_ca_cert
Done
sh ssl profile swg_ssl_profile
1) Name: swg_ssl_profile (Front-End)
SSLv3: DISABLED TLSv1.0: ENABLED TLSv1.1: ENABLED TLSv1.2: ENABLED
Client Auth: DISABLED
Use only bound CA certificates: DISABLED
Strict CA checks: NO
Session Reuse: ENABLED Timeout: 120 seconds
DH: DISABLED
DH Private-Key Exponent Size Limit: DISABLED Ephemeral RSA: ENABLED Refresh Count: 0
Deny SSL Renegotiation ALL
Non FIPS Ciphers: DISABLED
Cipher Redirect: DISABLED
SSL Redirect: DISABLED
Send Close-Notify: YES
Strict Sig-Digest Check: DISABLED
Push Encryption Trigger: Always
PUSH encryption trigger timeout: 1 ms
SNI: DISABLED
OCSP Stapling: DISABLED
Strict Host Header check for SNI enabled SSL sessions: NO
Push flag: 0x0 (Auto)
SSL quantum size: 8 kB
Encryption trigger timeout 100 mS
Encryption trigger packet count: 45
Subject/Issuer Name Insertion Format: Unicode
SSL Interception: ENABLED
SSL Interception OCSP Check: ENABLED
SSL Interception End to End Renegotiation: ENABLED
SSL Interception Server Cert Verification for Client Reuse: ENABLED
SSL Interception Maximum Reuse Sessions per Server: 10
Session Ticket: DISABLED Session Ticket Lifetime: 300 (secs)
HSTS: DISABLED
HSTS IncludeSubDomains: NO
HSTS Max-Age: 0
ECC Curve: P_256, P_384, P_224, P_521
1) Cipher Name: DEFAULT Priority :1
Description: Predefined Cipher Alias
1) SSL Interception CA CertKey Name: swg_ca_cert
Done
Bind an SSL interception CA certificate to an SSL profle by using the Citrix SWG GUI
-
Navigate to System > Profiles > SSL Profile.
-
Click Add.
-
Specify a name for the profile.
-
Enable SSL Sessions Interception.
-
Click OK.
-
In Advanced Settings, click Certificate Key.
-
Specify an SSLi CA certificate key to bind to the profile.
-
Click Select and then click Bind.
-
Optionally, configure ciphers to suit your deployment.
- Click the edit icon, and then click Add.
- Select one or more cipher groups, and click the right arrow.
- Click OK.
-
Click Done.
Bind an SSL profile to a proxy server by using the Citrix SWG GUI
- Navigate to Secure Web Gateway > Proxy Servers, and add a new server or select a server to modify.
- In SSL Profile, click the edit icon.
- In the SSL Profile list, select the SSL profile that you created earlier.
- Click OK.
- Click Done.
Sample Profile:
Name: swg_ssl_profile (Front-End)
SSLv3: DISABLED TLSv1.0: ENABLED TLSv1.1: ENABLED TLSv1.2: ENABLED
Client Auth: DISABLED
Use only bound CA certificates: DISABLED
Strict CA checks: NO
Session Reuse: ENABLED Timeout: 120 seconds
DH: DISABLED
DH Private-Key Exponent Size Limit: DISABLED Ephemeral RSA: ENABLED Refresh Count: 0
Deny SSL Renegotiation ALL
Non FIPS Ciphers: DISABLED
Cipher Redirect: DISABLED
SSL Redirect: DISABLED
Send Close-Notify: YES
Strict Sig-Digest Check: DISABLED
Push Encryption Trigger: Always
PUSH encryption trigger timeout: 1 ms
SNI: DISABLED
OCSP Stapling: DISABLED
Strict Host Header check for SNI enabled SSL sessions: NO
Push flag: 0x0 (Auto)
SSL quantum size: 8 kB
Encryption trigger timeout 100 mS
Encryption trigger packet count: 45
Subject/Issuer Name Insertion Format: Unicode
SSL Interception: ENABLED
SSL Interception OCSP Check: ENABLED
SSL Interception End to End Renegotiation: ENABLED
SSL Interception Maximum Reuse Sessions per Server: 10
Session Ticket: DISABLED Session Ticket Lifetime: 300 (secs)
HSTS: DISABLED
HSTS IncludeSubDomains: NO
HSTS Max-Age: 0
ECC Curve: P_256, P_384, P_224, P_521
1) Cipher Name: DEFAULT Priority :1
Description: Predefined Cipher Alias
1) SSL Interception CA CertKey Name: swg_ca_cert
In this article
- Add an SSL profile and enable SSL interception by using the Citrix SWG CLI
- Bind an SSL interception CA certificate to an SSL profle by using the Citrix SWG CLI
- Bind an SSL interception CA certificate to an SSL profle by using the Citrix SWG GUI
- Bind an SSL profile to a proxy server by using the Citrix SWG GUI