SSL profile

An SSL profile is a collection of SSL settings, such as ciphers and protocols. A profile is helpful if you have common settings for different servers. Instead of specifying the same settings for each server, you can create a profile, specify the settings in the profile, and then bind the profile to different servers. If a custom front-end SSL profile is not created, the default front-end profile is bound to client-side entities. This profile enables you to configure settings for managing the client-side connections. For SSL interception, you must create an SSL profile and enable SSL interception (SSLi) in the profile. A default cipher group is bound to this profile, but you can configure more ciphers to suit your deployment. You must bind an SSLi CA certificate to this profile and then bind the profile to a proxy server. For SSL interception, the essential parameters in a profile are the ones used to check the OCSP status of the origin server certificate, trigger client renegotiation if the origin server requests renegotiation, and verify the origin server certificate before reusing the front-end SSL session. You must use the default backend profile when communicating with the origin servers. Set any server-side parameters, such as cipher suites, in the default backend profile. A custom back-end profile is not supported.

For examples of the most commonly used SSL settings, see “Sample Profile” at the end of this section.

Cipher/protocol support differs on the internal and external network. In the following tables, the connection between the users and an SWG appliance is the internal network. The external network is between the appliance and the internet.

localized image

Table 1: Cipher/protocol support matrix for the internal network

(Cipher/protocol)/Platform MPX (N3)* VPX
TLS 1.1/1.2 12.1 12.1
ECDHE/DHE(Example TLS1-ECDHE-RSA-AES128-SHA) 12.1 12.1
AES-GCM(Example TLS1.2-AES128-GCM-SHA256) 12.1 12.1
SHA-2 Ciphers(Example TLS1.2-AES-128-SHA256) 12.1 12.1
ECDSA(Example TLS1-ECDHE-ECDSA-AES256-SHA) 12.1 12.1

Table 2: Cipher/protocol support matrix for the external network

(Cipher/protocol)/Platform MPX (N3)* VPX
TLS 1.1/1.2 12.1 12.1
ECDHE/DHE(Example TLS1-ECDHE-RSA-AES128-SHA) 12.1 12.1
AES-GCM(Example TLS1.2-AES128-GCM-SHA256) 12.1 12.1
SHA-2 Ciphers(Example TLS1.2-AES-128-SHA256) 12.1 12.1
ECDSA(Example TLS1-ECDHE-ECDSA-AES256-SHA) 12.1 Not supported

* Use the sh hardware (show hardware) command to identify whether your appliance has N3 chips.

Example:

sh hardware

Platform: NSMPX-22000 16*CPU+24*IX+12*E1K+2*E1K+4*CVM N3 2200100

Manufactured on: 8/19/2013

CPU: 2900MHZ

Host Id: 1006665862

Serial no: ENUK6298FT

Encoded serial no: ENUK6298FT

Done
<!--NeedCopy-->

Add an SSL profile and enable SSL interception by using the Citrix SWG CLI

At the command prompt, type:

add ssl profile <name> -sslinterception ENABLED -ssliReneg ( ENABLED | DISABLED ) -ssliOCSPCheck ( ENABLED | DISABLED ) -ssliMaxSessPerServer <positive_integer>

Arguments:

sslInterception:

Enable or disable interception of SSL sessions.

Possible values: ENABLED, DISABLED

Default value: DISABLED

ssliReneg:

Enable or disable triggering client renegotiation when a renegotiation request is received from the origin server.

Possible values: ENABLED, DISABLED

Default value: ENABLED

ssliOCSPCheck:

Enable or disable OCSP check for an origin-server certificate.

Possible values: ENABLED, DISABLED

Default value: ENABLED

ssliMaxSessPerServer:

Maximum number of SSL sessions to be cached per dynamic origin server. A unique SSL session is created for each SNI extension received from the client in a client hello message. The matching session is used for server-session reuse.

Default value: 10

Minimum value: 1

Maximum value: 1000

Example:

add ssl profile swg_ssl_profile  -sslinterception ENABLED

Done

sh ssl profile swg_ssl_profile

1)    Name: swg_ssl_profile (Front-End)

                SSLv3: DISABLED               TLSv1.0: ENABLED  TLSv1.1: ENABLED  TLSv1.2: ENABLED

                Client Auth: DISABLED

                Use only bound CA certificates: DISABLED

                Strict CA checks:                               NO

                Session Reuse: ENABLED                              Timeout: 120 seconds

                DH: DISABLED

                DH Private-Key Exponent Size Limit: DISABLED   Ephemeral RSA: ENABLED                            Refresh Count: 0

                Deny SSL Renegotiation                                ALL

                Non FIPS Ciphers: DISABLED

                Cipher Redirect: DISABLED

                SSL Redirect: DISABLED

                Send Close-Notify: YES

                Strict Sig-Digest Check: DISABLED

                Push Encryption Trigger: Always

                PUSH encryption trigger timeout:             1 ms

                SNI: DISABLED

                OCSP Stapling: DISABLED

                Strict Host Header check for SNI enabled SSL sessions:                   NO

                Push flag:            0x0 (Auto)

                SSL quantum size:                            8 kB

                Encryption trigger timeout           100 mS

                Encryption trigger packet count:               45

                Subject/Issuer Name Insertion Format: Unicode

                SSL Interception: ENABLED

                SSL Interception OCSP Check: ENABLED

                SSL Interception End to End Renegotiation: ENABLED

                SSL Interception Server Cert Verification for Client Reuse: ENABLED

                SSL Interception Maximum Reuse Sessions per Server:  10

                Session Ticket: DISABLED              Session Ticket Lifetime: 300 (secs)

                HSTS: DISABLED

                HSTS IncludeSubDomains: NO

                HSTS Max-Age: 0

                ECC Curve: P_256, P_384, P_224, P_521

1)            Cipher Name: DEFAULT Priority :1

                Description: Predefined Cipher Alias

Done
<!--NeedCopy-->

Bind an SSL interception CA certificate to an SSL profle by using the Citrix SWG CLI

At the command prompt, type:

bind ssl profile <name> -ssliCACertkey <ssli-ca-cert >

Example:

bind ssl profile swg_ssl_profile -ssliCACertkey swg_ca_cert

Done

sh ssl profile swg_ssl_profile

1)            Name: swg_ssl_profile (Front-End)

                SSLv3: DISABLED               TLSv1.0: ENABLED  TLSv1.1: ENABLED  TLSv1.2: ENABLED

                Client Auth: DISABLED

                Use only bound CA certificates: DISABLED

                Strict CA checks:                               NO

                Session Reuse: ENABLED                              Timeout: 120 seconds

                DH: DISABLED

                DH Private-Key Exponent Size Limit: DISABLED   Ephemeral RSA: ENABLED                            Refresh Count: 0

                Deny SSL Renegotiation                                ALL

                Non FIPS Ciphers: DISABLED

                Cipher Redirect: DISABLED

                SSL Redirect: DISABLED

                Send Close-Notify: YES

                Strict Sig-Digest Check: DISABLED

                Push Encryption Trigger: Always

                PUSH encryption trigger timeout:             1 ms

                SNI: DISABLED

                OCSP Stapling: DISABLED

                Strict Host Header check for SNI enabled SSL sessions:                   NO

                Push flag:            0x0 (Auto)

                SSL quantum size:                            8 kB

                Encryption trigger timeout           100 mS

                Encryption trigger packet count:               45

                Subject/Issuer Name Insertion Format: Unicode

                SSL Interception: ENABLED

                SSL Interception OCSP Check: ENABLED

                SSL Interception End to End Renegotiation: ENABLED

                SSL Interception Server Cert Verification for Client Reuse: ENABLED

                SSL Interception Maximum Reuse Sessions per Server:  10

                Session Ticket: DISABLED              Session Ticket Lifetime: 300 (secs)

                HSTS: DISABLED

                HSTS IncludeSubDomains: NO

                HSTS Max-Age: 0

                ECC Curve: P_256, P_384, P_224, P_521

1)            Cipher Name: DEFAULT Priority :1

                Description: Predefined Cipher Alias

1)            SSL Interception CA CertKey Name: swg_ca_cert

Done
<!--NeedCopy-->

Bind an SSL interception CA certificate to an SSL profle by using the Citrix SWG GUI

  1. Navigate to System > Profiles > SSL Profile.

  2. Click Add.

  3. Specify a name for the profile.

  4. Enable SSL Sessions Interception.

  5. Click OK.

  6. In Advanced Settings, click Certificate Key.

  7. Specify an SSLi CA certificate key to bind to the profile.

  8. Click Select and then click Bind.

  9. Optionally, configure ciphers to suit your deployment.

    • Click the edit icon, and then click Add.
    • Select one or more cipher groups, and click the right arrow.
    • Click OK.
  10. Click Done.

Bind an SSL profile to a proxy server by using the Citrix SWG GUI

  1. Navigate to Secure Web Gateway > Proxy Servers, and add a new server or select a server to modify.
  2. In SSL Profile, click the edit icon.
  3. In the SSL Profile list, select the SSL profile that you created earlier.
  4. Click OK.
  5. Click Done.

Sample Profile:

Name: swg_ssl_profile (Front-End)

                SSLv3: DISABLED               TLSv1.0: ENABLED  TLSv1.1: ENABLED  TLSv1.2: ENABLED

                Client Auth: DISABLED

                Use only bound CA certificates: DISABLED

                Strict CA checks:                               NO

                Session Reuse: ENABLED                              Timeout: 120 seconds

                DH: DISABLED

                DH Private-Key Exponent Size Limit: DISABLED   Ephemeral RSA: ENABLED                            Refresh Count: 0

                Deny SSL Renegotiation                                ALL

                Non FIPS Ciphers: DISABLED

                Cipher Redirect: DISABLED

                SSL Redirect: DISABLED

                Send Close-Notify: YES

                Strict Sig-Digest Check: DISABLED

                Push Encryption Trigger: Always

                PUSH encryption trigger timeout:             1 ms

                SNI: DISABLED

                OCSP Stapling: DISABLED

                Strict Host Header check for SNI enabled SSL sessions:                   NO

                Push flag:            0x0 (Auto)

                SSL quantum size:                            8 kB

                Encryption trigger timeout           100 mS

                Encryption trigger packet count:               45

                Subject/Issuer Name Insertion Format: Unicode

                SSL Interception: ENABLED

                SSL Interception OCSP Check: ENABLED

                SSL Interception End to End Renegotiation: ENABLED

                SSL Interception Maximum Reuse Sessions per Server:  10

                Session Ticket: DISABLED              Session Ticket Lifetime: 300 (secs)

                HSTS: DISABLED

                HSTS IncludeSubDomains: NO

                HSTS Max-Age: 0

                ECC Curve: P_256, P_384, P_224, P_521

1)            Cipher Name: DEFAULT Priority :1

                Description: Predefined Cipher Alias

1)            SSL Interception CA CertKey Name: swg_ca_cert
<!--NeedCopy-->