SSL profile

An SSL profile is a collection of SSL settings, such as ciphers and protocols. A profile is helpful if you have common settings for different servers. Instead of specifying the same settings for each server, you can create a profile, specify the settings in the profile, and then bind the profile to different servers. If a custom front-end SSL profile is not created, the default front-end profile is bound to client-side entities. This profile enables you to configure settings for managing the client-side connections. For SSL interception, you must create an SSL profile and enable SSL interception (SSLi) in the profile. A default cipher group is bound to this profile, but you can configure more ciphers to suit your deployment. You must bind an SSLi CA certificate to this profile and then bind the profile to a proxy server. For SSL interception, the essential parameters in a profile are the ones used to check the OCSP status of the origin server certificate, trigger client renegotiation if the origin server requests renegotiation, and verify the origin server certificate before reusing the front-end SSL session. You must use the default backend profile when communicating with the origin servers. Set any server-side parameters, such as cipher suites, in the default backend profile. A custom back-end profile is not supported.

For examples of the most commonly used SSL settings, see “Sample Profile” at the end of this section.

Cipher/protocol support differs on the internal and external network. In the following tables, the connection between the users and an SWG appliance is the internal network. The external network is between the appliance and the internet.

localized image

Table 1: Cipher/protocol support matrix for the internal network

(Cipher/protocol)/Platform MPX (N3)* VPX
TLS 1.1/1.2 12.1 12.1
ECDHE/DHE(Example TLS1-ECDHE-RSA-AES128-SHA) 12.1 12.1
AES-GCM(Example TLS1.2-AES128-GCM-SHA256) 12.1 12.1
SHA-2 Ciphers(Example TLS1.2-AES-128-SHA256) 12.1 12.1
ECDSA(Example TLS1-ECDHE-ECDSA-AES256-SHA) 12.1 12.1

Table 2: Cipher/protocol support matrix for the external network

(Cipher/protocol)/Platform MPX (N3)* VPX
TLS 1.1/1.2 12.1 12.1
ECDHE/DHE(Example TLS1-ECDHE-RSA-AES128-SHA) 12.1 12.1
AES-GCM(Example TLS1.2-AES128-GCM-SHA256) 12.1 12.1
SHA-2 Ciphers(Example TLS1.2-AES-128-SHA256) 12.1 12.1
ECDSA(Example TLS1-ECDHE-ECDSA-AES256-SHA) 12.1 Not supported

* Use the sh hardware (show hardware) command to identify whether your appliance has N3 chips.

Example:

sh hardware Platform: NSMPX-22000 16*CPU+24*IX+12*E1K+2*E1K+4*CVM N3 2200100 Manufactured on: 8/19/2013 CPU: 2900MHZ Host Id: 1006665862 Serial no: ENUK6298FT Encoded serial no: ENUK6298FT Done

Add an SSL profile and enable SSL interception by using the Citrix SWG CLI

At the command prompt, type:

add ssl profile <name> -sslinterception ENABLED -ssliReneg ( ENABLED | DISABLED ) -ssliOCSPCheck ( ENABLED | DISABLED ) -ssliMaxSessPerServer <positive_integer>

Arguments:

sslInterception:

Enable or disable interception of SSL sessions.

Possible values: ENABLED, DISABLED

Default value: DISABLED

ssliReneg:

Enable or disable triggering client renegotiation when a renegotiation request is received from the origin server.

Possible values: ENABLED, DISABLED

Default value: ENABLED

ssliOCSPCheck:

Enable or disable OCSP check for an origin-server certificate.

Possible values: ENABLED, DISABLED

Default value: ENABLED

ssliMaxSessPerServer:

Maximum number of SSL sessions to be cached per dynamic origin server. A unique SSL session is created for each SNI extension received from the client in a client hello message. The matching session is used for server-session reuse.

Default value: 10

Minimum value: 1

Maximum value: 1000

Example:

add ssl profile swg_ssl_profile -sslinterception ENABLED Done sh ssl profile swg_ssl_profile 1) Name: swg_ssl_profile (Front-End) SSLv3: DISABLED TLSv1.0: ENABLED TLSv1.1: ENABLED TLSv1.2: ENABLED Client Auth: DISABLED Use only bound CA certificates: DISABLED Strict CA checks: NO Session Reuse: ENABLED Timeout: 120 seconds DH: DISABLED DH Private-Key Exponent Size Limit: DISABLED Ephemeral RSA: ENABLED Refresh Count: 0 Deny SSL Renegotiation ALL Non FIPS Ciphers: DISABLED Cipher Redirect: DISABLED SSL Redirect: DISABLED Send Close-Notify: YES Strict Sig-Digest Check: DISABLED Push Encryption Trigger: Always PUSH encryption trigger timeout: 1 ms SNI: DISABLED OCSP Stapling: DISABLED Strict Host Header check for SNI enabled SSL sessions: NO Push flag: 0x0 (Auto) SSL quantum size: 8 kB Encryption trigger timeout 100 mS Encryption trigger packet count: 45 Subject/Issuer Name Insertion Format: Unicode SSL Interception: ENABLED SSL Interception OCSP Check: ENABLED SSL Interception End to End Renegotiation: ENABLED SSL Interception Server Cert Verification for Client Reuse: ENABLED SSL Interception Maximum Reuse Sessions per Server: 10 Session Ticket: DISABLED Session Ticket Lifetime: 300 (secs) HSTS: DISABLED HSTS IncludeSubDomains: NO HSTS Max-Age: 0 ECC Curve: P_256, P_384, P_224, P_521 1) Cipher Name: DEFAULT Priority :1 Description: Predefined Cipher Alias Done

Bind an SSL interception CA certificate to an SSL profle by using the Citrix SWG CLI

At the command prompt, type:

bind ssl profile <name> -ssliCACertkey <ssli-ca-cert >

Example:

bind ssl profile swg_ssl_profile -ssliCACertkey swg_ca_cert Done sh ssl profile swg_ssl_profile 1) Name: swg_ssl_profile (Front-End) SSLv3: DISABLED TLSv1.0: ENABLED TLSv1.1: ENABLED TLSv1.2: ENABLED Client Auth: DISABLED Use only bound CA certificates: DISABLED Strict CA checks: NO Session Reuse: ENABLED Timeout: 120 seconds DH: DISABLED DH Private-Key Exponent Size Limit: DISABLED Ephemeral RSA: ENABLED Refresh Count: 0 Deny SSL Renegotiation ALL Non FIPS Ciphers: DISABLED Cipher Redirect: DISABLED SSL Redirect: DISABLED Send Close-Notify: YES Strict Sig-Digest Check: DISABLED Push Encryption Trigger: Always PUSH encryption trigger timeout: 1 ms SNI: DISABLED OCSP Stapling: DISABLED Strict Host Header check for SNI enabled SSL sessions: NO Push flag: 0x0 (Auto) SSL quantum size: 8 kB Encryption trigger timeout 100 mS Encryption trigger packet count: 45 Subject/Issuer Name Insertion Format: Unicode SSL Interception: ENABLED SSL Interception OCSP Check: ENABLED SSL Interception End to End Renegotiation: ENABLED SSL Interception Server Cert Verification for Client Reuse: ENABLED SSL Interception Maximum Reuse Sessions per Server: 10 Session Ticket: DISABLED Session Ticket Lifetime: 300 (secs) HSTS: DISABLED HSTS IncludeSubDomains: NO HSTS Max-Age: 0 ECC Curve: P_256, P_384, P_224, P_521 1) Cipher Name: DEFAULT Priority :1 Description: Predefined Cipher Alias 1) SSL Interception CA CertKey Name: swg_ca_cert Done

Bind an SSL interception CA certificate to an SSL profle by using the Citrix SWG GUI

  1. Navigate to System > Profiles > SSL Profile.

  2. Click Add.

  3. Specify a name for the profile.

  4. Enable SSL Sessions Interception.

  5. Click OK.

  6. In Advanced Settings, click Certificate Key.

  7. Specify an SSLi CA certificate key to bind to the profile.

  8. Click Select and then click Bind.

  9. Optionally, configure ciphers to suit your deployment.

    • Click the edit icon, and then click Add.
    • Select one or more cipher groups, and click the right arrow.
    • Click OK.
  10. Click Done.

Bind an SSL profile to a proxy server by using the Citrix SWG GUI

  1. Navigate to Secure Web Gateway > Proxy Servers, and add a new server or select a server to modify.
  2. In SSL Profile, click the edit icon.
  3. In the SSL Profile list, select the SSL profile that you created earlier.
  4. Click OK.
  5. Click Done.

Sample Profile:

Name: swg_ssl_profile (Front-End) SSLv3: DISABLED TLSv1.0: ENABLED TLSv1.1: ENABLED TLSv1.2: ENABLED Client Auth: DISABLED Use only bound CA certificates: DISABLED Strict CA checks: NO Session Reuse: ENABLED Timeout: 120 seconds DH: DISABLED DH Private-Key Exponent Size Limit: DISABLED Ephemeral RSA: ENABLED Refresh Count: 0 Deny SSL Renegotiation ALL Non FIPS Ciphers: DISABLED Cipher Redirect: DISABLED SSL Redirect: DISABLED Send Close-Notify: YES Strict Sig-Digest Check: DISABLED Push Encryption Trigger: Always PUSH encryption trigger timeout: 1 ms SNI: DISABLED OCSP Stapling: DISABLED Strict Host Header check for SNI enabled SSL sessions: NO Push flag: 0x0 (Auto) SSL quantum size: 8 kB Encryption trigger timeout 100 mS Encryption trigger packet count: 45 Subject/Issuer Name Insertion Format: Unicode SSL Interception: ENABLED SSL Interception OCSP Check: ENABLED SSL Interception End to End Renegotiation: ENABLED SSL Interception Maximum Reuse Sessions per Server: 10 Session Ticket: DISABLED Session Ticket Lifetime: 300 (secs) HSTS: DISABLED HSTS IncludeSubDomains: NO HSTS Max-Age: 0 ECC Curve: P_256, P_384, P_224, P_521 1) Cipher Name: DEFAULT Priority :1 Description: Predefined Cipher Alias 1) SSL Interception CA CertKey Name: swg_ca_cert