VPN with Citrix NetScaler II – Requiring certificates to access

Print Friendly, PDF & Email

In the previous post we saw how to securely configure VPN access to our users through our Citrix NetScaler Gateway; In today's post we will continue to tighten some nuts. We will make sure that if the remote computers do not have a certificate installed, they won't even be able to see the NetScaler Gateway website!

 

So we will provide you with greater security, The website to access the organization will be non-existent if you do not have a certificate previously installed on the computers, nothing will be displayed. Avoiding curious people and gossip, We may require that what has been said, If you don't have a certificate installed on your computer (or on your smart card reader), You don't access, You can't even open the access website.

This document is structured as follows:

 

Importing the root of the CA into the NetScaler

 

We will use the Certificate Authority in our Active Directory to create and issue the certificate to users, we will also have NetScaler validate against our CA the status of the certificate.

 

So we start by making a backup of our AC, our Active Directory certificate authority, About her, Back up, instruct you to carry the private key and CA certificate, We choose a folder and that's it,

 

We will import the CA certificate from “Traffic Management” > “SSL” > “Import PKCS#12”, We give you a name, and choose the P12 file that will have generated the previous backup, as well as the password we have set for it, “OK”,

 

To install the certificate, We're going to “Traffic Management” > “SSL > “SSL Certificate” > “SSL Certificates” > “Install”. We indicate a name, and we choose the certificate and its private key, both from the file we have just imported.

We are going to register the CRL (Certificate Revocation List) so that you can check NetScaler if the certificate is valid on the certificate authority (o CA) whether it's good or not. Since “Traffic Management” > “SSL” > “CRL” > “Add”.

We'll give it a name, and the CRL connection URL (Something like this: HTTP://DIRECCION_IP_CA/certenroll/Name of tu CA.crl) In addition, in “Interval” we'll dial NOW, When we verify sync correctly we will put it daily.

 

 

Let's now link the CA certificate and the CRL on the Gateway Virtual Server, since “Certificate” > “CA Certificate” and we indicate the CRL to mandatory. “BIND”,

 

Something like this, 1 CA Certificate,

 

And in the SSL Parameters of the Gateway Virtual Server we enable “Client Authentication” and we indicate that the certificate is mandatory. OK and “Donate”.

 

 

Generating a client certificate

 

We continue to generate a certificate to be able to access, these would be the steps we must follow to generate the certificate and install it on the position that we want to be able to access the NetScaler Gateway site, without it, not accessed.

 

We're going to “Traffic Management” > “SSL” > “Client Certificate Wizard”

 

A wizard will begin to first create the private key, to which we will indicate a filename, a key length, Format and password, “Create”,

 

In the next step we must fill in the data that is required to generate the CSR (Certificate Signing Request) or certificate request, Once we complete them, we click on “Create”,

 

We tell you that “Yes” so that it generates the file with the CSR,

We leave the wizard for a moment and we are going to generate the certificate in our AD.

 

When you access the Active Directory Certificate Services Web site, We will be able to make an advanced certificate request, where we will paste the text of the CSR that will have generated us in the file, as well as we indicate that the certificate template is of “User”, Click on “Send”,

 

We download coded in Base 64 The certificate.

 

Back to the assistant, We skip the step 3 by clicking directly on the 4 and we also complete the certificate issued by our CA. Click on “Create”,

 

“Donate”

 

We export in PFX from “Traffic Management” > SSL” > “Export PKCS#12” and with WinSCP we download it to our PC from /flash/nsconfig/ssl/ the PFX.

That PFX will be the one we have to install at the post to be able to access.

 

Testing

And the time has come to validate it, if you do not have the certificate, you will not be able to open the Citrix NetScaler Gateway website.

And if we have the certificate installed or we have several, It will ask us to use it when you open the website,

And it will correctly show us the website to access our corporate applications and desktops portal, or via VPN, we will be able to validate ourselves and access!

Not very dense document where we have seen how we can protect our public site from any unwanted access, of visitors or curious people, Or marujos, whatever they are, Without a certificate they will not be able to get here! I hope you found it interesting, We continue in a third post with more things, See you soon!

Recommended Posts

VPN with Citrix NetScaler I - Deployment & Pre-authentication
Read
VPN with Citrix NetScaler IV - AlwaysON
Read
VPN with Citrix NetScaler III - Authentication with certificates
Read
Allowing specific users to escape Fortigate's web filtering
Read

Author

by Héctor Herrero 
nheobug@bujarra.com
Autor del blog Bujarra.com Cualquier necesidad que tengas, Do not hesitate to contact me, I will try to help you whenever I can, Sharing is living ;) . Enjoy documents!!!

Monitorizando Tareas programadas con Centreon

12 November 2024

Solar panels with Home Assistant and Huawei

19 November 2024