Configure DTLS VPN virtual server using SSL VPN virtual server 编辑
Configure DTLS VPN virtual server using SSL VPN virtual server
You can configure a DTLS VPN virtual server for a Citrix ADC appliance using the same IP and port number of a configured SSL VPN virtual server. Configuring DTLS VPN virtual servers enables you to bind the advanced DTLS ciphers and certificates to the DTLS traffic for an enhanced security. From release 13.0 build 47.x, the DTLS 1.2 protocol is supported in addition to the earlier supported DTLS 1.0 protocol.
Important:
By default, the DTLS functionality is set to ON for the existing SSL VPN virtual server. Disable the functionality for the server before creating the DTLS VPN virtual server.
SNI for DTLS gateway virtual server is supported in Citrix Gateway release 13.0 build 64.x and later.
Starting from Citrix ADC release 13.0 build 79.x, the
helloverifyrequest
parameter is enabled by default. Enabling thehelloverifyrequest
parameter on the DTLS profile helps mitigate the risk of an attacker or bots overwhelming the network throughput, potentially leading to outbound bandwidth exhaustion. That is, it helps mitigate the DTLS DDoS amplification attack. For details about thehelloverifyrequest
parameter, see DTLS profile.When handling the UDP traffic, the Citrix ADC appliance memory consumption increases if the back-end servers push a lot of traffic. As a result, the Citrix ADC appliance cannot push this traffic to the client because of the TCP MUX connection on the client side. In such cases, Citrix recommends that you use the DTLS protocol.
Points to note
-
DTLS VPN virtual server on a Citrix ADC appliance can be configured from release 13.0 build 58.x.
-
Before you configure a DTLS VPN virtual server on a Citrix ADC appliance, you must have configured an SSL VPN virtual server on the appliance.
-
The DTLS VPN virtual server uses the IP address and the port number of the configured SSL VPN virtual server.
-
If the DTLS handshake fails, the connection falls back to TLS.
-
To use DTLS only, you can disable TLS by binding only the DTLS ciphers to the DTLS traffic.
-
DTLS multiplexing is not supported when TCP traffic is tunneled over VPN.
Configure DTLS VPN virtual server by using the GUI
- On the Configuration tab, navigate to Citrix Gateway > Virtual Servers.
- On the Citrix Gateway Virtual Servers page, select the existing SSL VPN virtual server and click Edit.
-
On the VPN Virtual Server page, click the edit icon and clear the DTLS check box and click OK.
-
Click the back arrow icon on the VPN Virtual Server to navigate to the Citrix Gateway Virtual Servers page and click Add.
-
Under Basic Settings, enter the values for the following fields and Click OK.
- Name - A name for the DTLS VPN virtual server
- Protocol - Select DTLS from the drop-down list menu
- IP Address – Enter SSL VPN virtual server IP address
- Port – Enter SSL VPN virtual server port number.
-
On the VPN Virtual Servers page, click the arrow under Certificates to select the required cert key. You can use an existing SSL cert key or create one. Click the radio button next to the desired certificate key and click Select.
-
Click Bind on the Server Certificate Binding page.
-
To use DTLS 1.2, enable the same. On the VPN Virtual Servers page, click edit icon under SSL Parameters. Enable DTLS 1.2 check box and click OK.
Note:
- Server name indication (SNI) is supported for VPN virtual server of type DTLS.
DTLS VPN virtual server configuration is now complete.
Configure DTLS VPN virtual server by using the CLI
At the command prompt, type the following sets of commands:
set vpn vserver <ssl vpnvserver name> -dtls off
add vpn vserver <dtls vpnvserver name> dtls <ssl vpn vserver IP> <ssl vpn vserver port>
bind ssl vservser <dtls vpnvserver name> -certkeyName <existing ssl cert key or newly created cert key>
<!--NeedCopy-->
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论