Configure full SSL VPN with Citrix NetScaler 12 in CLI and optimize the configuration to get an A+ on Qualys SSL Labs.

In this article, we will setup a full SSL VPN configuration with Citrix NetScaler 12 VPX (1000) using only the command line and we will optimize this configuration to follow the best practices from Citrix in order to get an A+ rating from Qualys SSL Labs.

Make sure to catch up this series' previous posts first!

 

Getting started

For this lab, you need the following:

  • NetScaler (12.0 at least) configured (For this lab, we are going to use the NetScaler HA pair running NS12.1 48.13.nc firmware. You can take a look at this article Lab: Part 6 – Configure NetScaler 11 High Availability (HA Pair).
  • Public SSL/TLS certificate imported in the NetScaler configuration. Root and Intermediate certificates must also be imported and chained properly.
  • Public IP
  • A private IP available for the VPN virtual server (Ex: 192.168.1.27)
  • A port available for the VPN (Ex:  default 443 or 3000)
  • An AD group available to restrict the access to the VPN. (Ex: cn=vpn_users,ou=groups,dc=citrixguru,dc=lab)
  • A service account for the LDAP communication (See Lab: Part 18 – Secure LDAP (LDAPS) load balancing with Citrix NetScaler 11)

Configure full SSL VPN with Citrix NetScaler in CLI

Add test user in the VPN group

In this post, VPN access will be restricted to users members of an AD group (cn=vpn_users,ou=groups,dc=citrixguru,dc=lab).

VPN restricted to AD group
VPN restricted to AD group

Create AlwaysOnProfile

Connect to your Citrix NetScaler via CLI.

Type the following command to create an AlwaysOnProfile:

You can make sure that the command was entered properly by typing show vpn alwaysONProfile:

show vpn alwaysONProfile

Create session profile

Next step is to create a new Session Profile in NetScaler, type the following command:

You can make sure that the command was entered properly by typing show vpn sessionaction vpn_session_prof:

how vpn sessionaction vpn_session_prof
how vpn sessionaction vpn_session_prof

Create session policy

Then we will create a new Session Policy in NS, enter the following command:

You can make sure that the command was entered properly by typing show vpn sessionpolicy vpn_session_pol:

show vpn sessionpolicy vpn_session_pol
show vpn sessionpolicy vpn_session_pol

Create a new LDAP server

Note: you can reuse one if you already have this configured.

You can make sure that the command was entered properly by typing show authentication ldapaction vpn_ldap_srv:

show authentication ldapaction vpn_ldap_srv
show authentication ldapaction vpn_ldap_srv

I published a post on this blog to configure LDAPS with NetScaler, see Lab: Part 18 – Secure LDAP (LDAPS) load balancing with Citrix NetScaler 11.

Create Authentication Policy

Then create a new Authentication Policy with the following command:

You can make sure that the command was entered properly by typing show authentication ldappolicy vpn_ldap_pol:

show authentication ldappolicy vpn_ldap_pol
show authentication ldappolicy vpn_ldap_pol

Create virtual server

Create a new virtual server for the VPN with the command below:

You can make sure that the command was entered properly by typing show vpn vserver vsng-vpn:

show vpn vserver vsng-vpn
show vpn vserver vsng-vpn

Bind SSL certificates

Next step is to bind the server certificate and the root CA certificate to the virtual server:

You can make sure that the command was entered properly by typing show ssl vserver vsng-vpn:

show ssl vserver vsng-vpn
show ssl vserver vsng-vpn

Bind portal theme

Bind the X1 portal theme (optional)

You can make sure that the command was entered properly by typing show ssl vserver vsng-vpn | more:

show ssl vserver vsng-vpn | more
show ssl vserver vsng-vpn | more

Bind LDAP policy

Bind the ldap policy that we have created before with the virtual server:

You can make sure that the command was entered properly by typing show ssl vserver vsng-vpn | more:

show ssl vserver vsng-vpn | more
show ssl vserver vsng-vpn | more

Bind Session policy

Bind the session policy that we have created before with the virtual server:

You can make sure that the command was entered properly by typing show ssl vserver vsng-vpn | more:

show ssl vserver vsng-vpn | more
show ssl vserver vsng-vpn | more

At this time, the VPN should already be working but we will do some optimizations.

Additional configurations

Note: NetScaler automatically added the following configuration during our steps:

You don’t need to type that during the configuration.

Optimizations

Enter the following commands to optimize the virtual server for Qualys:

Citrix also provided the following list of cipher optimizations:

 

The configuration above should give you an A+ on Qualys (July 2018).

ssllabs.com/ssltest/
ssllabs.com/ssltest/

Full configuration

 

Validate the VPN configuration

I will do this step with my Android phone and from the website.

Go to the Store and download Citrix SSO (Android) or Citirix VPN (Apple Store).

Add a new connection.

Note: here I am using a different port for the VPN. I added a new NAT rule in my router to redirect port 3000 to my virtual server IP port 443.

Citrix VPN/SSO - Add new connection
Citrix VPN/SSO – Add new connection

Click Save and connect to the VPN. You will be prompted to enter your credentials.

Then the VPN session is connected.

Citrix VPN/SSO - Connected
Citrix VPN/SSO – Connected

You can take a look at the stats to confirm that you are connected.

Citrix VPN/SSO - Stats
Citrix VPN/SSO – Stats

Or go to whatismyip.com from the device to confirm that the IP is from the VPN host.

Citrix VPN/SSO - Confirmed
Citrix VPN/SSO – Confirmed

Test from the website.

Go the the VPN url and logon.

Validate the VPN - Using the Website
Validate the VPN – Using the Website

The website will check if NetScaler Gateway Plug-in is installed.

Validate the VPN - Check the plugin
Validate the VPN – Check the plugin

You can also download the plug-in here: https://www.citrix.com/downloads/netscaler-gateway/plug-ins/netscaler-gateway-plug-in-clients-v121-4813.html.

Install it.

Install NetScaler Gateway Plug-in
Install NetScaler Gateway Plug-in

Then, Chrome will prompt you to be able to detect that the VPN session has started.

Chrome - accept nglauncher.exe
Chrome – accept nglauncher.exe

Note: you may have to reboot to finish the install.

NetScaler Gateway plug-in - connected
NetScaler Gateway plug-in – connected

 

Once connected, you will be automatically redirected to the homepage configured in the VPN session profile (citrixguru.com).

You can also connect to the VPN without going to the website.

Just open NetScaler Gateway plug-in.

Add a new connection.

NetScaler Gateway plug-in - Add new connection
NetScaler Gateway plug-in – Add new connection
NetScaler Gateway plug-in - Connection added
NetScaler Gateway plug-in – Connection added
NetScaler Gateway plug-in - logon
NetScaler Gateway plug-in – logon
NetScaler Gateway plug-in - connected
NetScaler Gateway plug-in – connected

You can click on Home page to be redirected to the homepage configured in the VPN session profile (citrixguru.com). By default, no automatic redirection in this case.

That’s all to configure a full SSL VPN in NetScaler with the CLI. I hope it helped. Cheers.

Make sure to catch up this series' previous posts first!