Configure SSL action to forward client traffic 编辑

When parsing the client hello message, a Citrix ADC appliance can forward the client traffic using an SSL forward action associated with an SSL policy. The policy is bound to the virtual server at client hello request bind point. Some use cases where forwarding can be used are discussed in the following sections. For information about configuring an SSL forward action if a cipher is not supported on a Citrix ADC appliance, see Configure SSL action to forward client traffic if a cipher is not supported on the ADC.

The following illustration explains the traffic flow. The forward virtual server is of type SSL_TCP in this illustration.

1. A client initiates the SSL handshake and sends the client hello message to the ADC appliance.
2. The appliance evaluates the configured policy by using the parameters in the client hello message.
3. If the policy evaluates to false, the decrypted traffic is forwarded to the HTTP service and then to the back-end server.
4. If the policy evaluates to true, the traffic is forwarded to the forward virtual server defined in the action.
5. The forward virtual server completes the handshake with the client.
6. All the traffic meeting the policy rule is forwarded to the back-end service through the service bound to the forward virtual server.

Configure an SSL action to forward client traffic if the appliance does not have a domain specific (SNI) certificate

Note: This feature is available in release 12.1 build 49.x and later.

In the client hello message, you might receive a request for a domain for which the certificate is not available on the appliance. In this case, you can configure an SSL action to forward the client traffic to a different virtual server. In the following example, we have configured an SSL virtual server as the forward virtual server. This setting ensures that all the connections that fail because of a missing SNI certificate on the original virtual server are successful on the forward virtual server.

Perform the following steps:

1. Add a load balancing virtual server of type SSL (For example, vMain). Client traffic is received on this virtual server.
2. Add server and CA certificates and bind them to the SSL virtual server.
3. Add an SSL service with port 443.
4. Bind this service to the SSL virtual server.
5. Add another load balancing virtual server of type SSL/SSL_TCP/TCP/SSL_BRIDGE to forward the traffic to. (For example, fwd-vserver).
6. Add a service and bind it to this virtual server.
7. Add an SSL forward action specifying the SSL virtual server fwd-vserver in the ‘forward’ parameter.
8. Add an SSL policy (for example, pol-ssl-sni) specifying the preceding action if a specific domain name (SNI) is received in the client hello message.
9. Bind this policy to the SSL virtual server at CLIENTHELLO_REQ.
10. Save the configuration.

Configuration using the CLI

Configuration for the SSL virtual server to which to forward the traffic:

add lb vserver fwd-vserver SSL 198.51.100.20 443
add ssl certkey sv -cert complete/server/server_rsa_2048.pem -key complete/server/server_rsa_2048.ky
add ssl certkey cacert -cert SHA256-RSA-PEM_512.pem -key SHA256-RSA-PEM_512.ky
bind ssl vserver fwd-vserver -certkeyName sv
bind ssl vserver fwd-vserver -certkeyName cacert -CA
add service ssl-service2 198.51.100.18 SSL 443
bind lb vserver fwd-vserver ssl-service2
<!--NeedCopy-->