Overview
We went over how to just create a basic HTTP Virtual Server in this document; here we are going to go over the HTTPS version. With the Citrix ADC, we can present internal HTTP and HTTPS sites external using HTTPS only. In fact, we can create a Virtual Server that simply listens for HTTP requests and redirect the client to hit the same URL using HTTPS. We cover that in the Responder Policy document.
For now, we will just focus on creating a SSL Virtual Server.
Requirements
- Since we are working with SSL, we will need to have a certificate. The Citrix ADC (along with other mainstream load balancers) require the private key of the certificate as well. If you have the Certificate in PKCS#12/PFX format, then the key is bundled with the Certificate. If it is in PEM or DER format, we will need the key associated with the certificate.
- Available IP address to create the Virtual Server (though if you are following along from the Basic Reverse proxy/Load Balance document, you should already have one)
- If the ADC is in a DMZ, and the resource is not, the ADC will need access through the firew3all to communicate with the resource.
Procedure
This is a continuation of the Basic Reverse proxy/Load Balance document. We will leverage the same server and service so we can just focus on the SSL steps here
- Navigate to Traffic Management->Load Balancing->Virtual Servers. You should see the existing Virtual Server you built. For this walkthrough
- Click on Add. I am using the same IP address since HTTPS is a different TCP port than HTTP and adding HTTPS to the name just to help distinguish the two Virtual Servers
- When you click Ok, you are brought to the Virtual Server summary page. Go ahead and Bind the Virtual Server to the service we created earlier. In this example, it's the http-sdc-t2019-dcc service.
- In case you haven't caught on, we are now in the process of creating an SSL offload scenario. Clients will be connecting to the Virtual Server using HTTPS, but the ADC is connecting to the server over HTTP! If we had created a HTTPS service, we could also select that as well. Once you click on Bind and added the service to the Virtual Server, you are returned back to the summary screen. click on Continue
- The Virtual Server summary refreshes and you are presented with another box - the Certificate section. Your SSL Virtual Server's state will always be down UNLESS it is bound to a certificate. Click on No Server Certificate Note: SSL_Bridge Virtual Servers do NOT require a certificate binding since they pass the SSL traffic through to the service/server.
- Select the Certificate you want to use and click on Bind
- Now that you have bound both a service and a certificate to the Virtual Server, click on Continue
You can see that there are even more sections than with a HTTP Virtual server. We will go through two sections in particular to "harden" this Virtual Server if it is to be public facing: SSL Parameters and SSL Ciphers.
- Note that SSLv3 and TLSv1 are enabled on this Virtual Server by default. We can those off by clicking on the pen and editing the SSL Parameters section
- Down at the bottom of the Editable SSL Parameters section, you can check/uncheck the protocols that you want this Virtual Server to Support and click OK
- Now we will update the SSL Ciphers. Click on the Edit button for that Section and click on Add
- Remove DEFAULT by clicking the - sign and add NIC_Default which is at the bottom of the list. Refer to the Citrix ADC - Cipher Suites document for details on the NIC_Default listing.
- When the Cipher changes are complete, it should look like
Now that your HTTPS Virtual Server is configured, you can test it by updating your local hosts file to point the hostname to the VIP. If all goes well, you should be presented with the website the server is hosting.