Protect your web traffic against Internet threats with Citrix NetScaler Secure Web Gateway

In this blog post I will share some of my experiences implementing NetScaler SWG as a Forward Proxy in order to protect and enhance security for your web traffic.

Citrix NetScaler Secure Web Gateway addresses security challenges, by letting organizations control which applications users can access, inspecting ssl encrypted traffic, blocking intrusions and preventing malware.

NetScaler SWG allows organisations to inspect outbound SSL traffic originating from internal users.
NetScaler SWG can be implemented as a Tranparent Proxy, in this scenario clients does not need to be aware of the existence of the proxy. On the network layer SWG works as a gateway that sits between the client and the Internet.

NetScaler SWG can also be implemented in explicit proxy mode, in this scenario you point your clients/browsers to use NetScaler SWG as Proxy either by PAC file or browser configuration (Can be pushed out by Microsoft GPO or DHCP Options e.g.).

Obs. NetScaler 12.0 Build 57.19 introduced ICAP support for Content inspection. ICAP (Internet Content Adaptation Protocol) is a lightweight protocol which is in general used to implement virus scanning and content filters in HTTP Proxies. ICAP uses a cache to proxy all client transactions and process the transactions using ICAP Web servers, which are designed for functions as virus scanning and content filtering. ICAP will not be covered in this blog post.

Using ICAP for remote content inspection
https://docs.citrix.com/en-us/netscaler-secure-web-gateway/12/security-configuration/using-icap-for-remote-content-inspection.html

NetScalerSWG

Summary of NetScaler SWG capabilities:

NetScaler SWG provides complete visibility into encrypted traffic allows you to inspect, analyse and control web traffic.
NetScaler URL Threat Intelligence subscription is an optional feature to SWG, this feature blocks access to millions of phishing and malware websites.
NetScaler SWG with NMAS provides User Analytics and Outbound Traffic Analysis.

Table of Contents

Use Cases

Use Case: Making Enterprise Internet Access Compliant and Secure

https://docs.citrix.com/en-us/netscaler-secure-web-gateway/12/use-case-making-enterprise-internet-access-compliant-and-secure.html

Use case: Making enterprise network secure by using ICAP for remote malware inspection

https://docs.citrix.com/en-us/netscaler-secure-web-gateway/12/use-case-icap-for-remote-malware-inspection.html

Benefits

Reduce Business Risk and increase employee productivity by protecting against phishing and malware threats.
Enforce company security policies on all outgoing web traffic, while blocking access to inappropriate sites on a per user/group basis.
Integrated with subscription based realtime cloud based solution for URL Threat intelligence.
Organizations can now have the visibility and control they need over encrypted traffic while ensuring compliance with their privacy, regulatory, and acceptable use policies.
Monitor and report on web usage trends, log requests or log only the requests that trigger a risk alert.
NetScaler MAS (NMAS) collates and presents user activity.

Bypass for trusted communication eg. banking and healthcare applications to meet compliance requirements.

License requirements

SWG is a separate appliance (VPX, MPX or SDX Instance).

NetScaler Secure Web Gateway requires its own platform license (minimum requirement for SWG appliance).

URL Threat Intelligence feature license. This license is required for use of the URL filtering, URL categorization, and URL reputation score feature.

Configuring NetScaler SWG

In this configuration example I will not use the builtin Wizard for configuring SWG.

The platform I did test on was running NetScaler SWG version 12.0 build 57.19 and NMAS 12.0 build 57.19.

Features

Start with enabling the required features:

AAA (Authentication, Authorization and Auditing)
SSL Offloading
Content Switching
Integrated Caching
AppFlow
Forward Proxy
Responder
SSL Interception

Certificate Pre-reqs

Following SSL Certificates, should be available prior to configuration:

SSL Cert for AAA vServer configured if doing Authentication on Proxy Virtual Server.
SSL Cert on Proxy vServer.
CA Certificate keypair – if doing SSL Interception of the Client Requests.
- You could use you internal CA, backup and export the private key from the internal CA and import this as CA Certificate key in SWG. NetScaler SWG will do SSL Interception from this Certificate which should already be trusted in your domain clients local key store.

Configure Proxy Virtual Server

The Proxy Virtual Server will be used as entry point from our Clients. In this scenario we will configure Proxy Virtual Server as Explicit Proxy, and add an Authentication vServer for security and user visibility.

Create Authentication and Proxy vServer:

add authentication vserver vs-swg-explicit-proxy_authvs SSL 0.0.0.0

1	add authentication vserver vs-swg-explicit-proxy_authvs SSL 0.0.0.0

add cs vserver vs-swg-explicit-proxy PROXY x.x.x.x 8888 -cltTimeout 180 -authn401 ON -authnVsName vs-swg-explicit-proxy_authvs

1	add cs vserver vs-swg-explicit-proxy PROXY x.x.x.x 8888 -cltTimeout 180 -authn401 ON -authnVsName vs-swg-explicit-proxy_authvs

Create SSL Profile for SSL Interception:

add ssl profile ssl-proxy-intercept -sessReuse ENABLED -sessTimeout 120 -sslInterception ENABLED

1	add ssl profile ssl-proxy-intercept -sessReuse ENABLED -sessTimeout 120 -sslInterception ENABLED

Bind SSL Profile to Proxy Virtual Server:

set ssl vserver vs-swg-explicit-proxy -sslProfile ssl-proxy-intercept

1	set ssl vserver vs-swg-explicit-proxy -sslProfile ssl-proxy-intercept

Bind the Certkey pair to the SSL Profile for interception of the SSL Traffic with this certificate:

bind ssl profile ssl-proxy-intercept -ssliCACertkey internal-AD-CA-keypair

1	bind ssl profile ssl-proxy-intercept -ssliCACertkey internal-AD-CA-keypair

Now point your Web browser to use the Proxy Virtual Server created here. On first web site access, the SWG will prompt user for Authentication. This will also allow us to gain user visibility in NMAS and log files.

Configuring SSL Interception policies

At this stage you should also consider whether SSL Interception or bypass should occur for all HTTPS sites, specific category or specific sites only.

Example of SSL Interception policy to Intercept specific sites:

Example of SSL Interception policy to Intercept based on URL Categories:

Configuring SSL Interception policies to bypass specific traffic

In order to bypass SSL Interception for specific traffic.

Create the SSL Interception policy and base either at specific URL Category, Reputation or a Pattern Set.

Set the action to BYPASS.

In this example I choose to base the SSL Interception BYPASS policy on URLs that I define in the pattern set.

add policy patset ssl_intercept_pol_bypass
bind policy patset ssl_intercept_pol_bypass perforce.com -index 1
bind policy patset ssl_intercept_pol_bypass citrix.com -index 2

add ssl policy ssl_intercept_pol_bypass_ssli -rule "client.ssl.client_hello.SNI.CONTAINS_ANY(\"ssl_intercept_pol_bypass\")" -action BYPASS
bind ssl vserver vs-swg-explicit-proxy -policyName ssl_intercept_pol_bypass_ssli -priority 80 -gotoPriorityExpression NEXT -type INTERCEPT_REQ

bind ssl vserver vs-swg-explicit-proxy -policyName ssl_intercept_pol_bypass_ssli -priority 80 -gotoPriorityExpression NEXT -type INTERCEPT_REQ

add policy patset ssl_intercept_pol_bypass

bind policy patset ssl_intercept_pol_bypass perforce.com -index 1

bind policy patset ssl_intercept_pol_bypass citrix.com -index 2

add ssl policy ssl_intercept_pol_bypass_ssli -rule "client.ssl.client_hello.SNI.CONTAINS_ANY(\"ssl_intercept_pol_bypass\")" -action BYPASS

bind ssl vserver vs-swg-explicit-proxy -policyName ssl_intercept_pol_bypass_ssli -priority 80 -gotoPriorityExpression NEXT -type INTERCEPT_REQ

Block websites based on reputation score

Control access to malicious websites on the basis of the URL reputation score. The URL reputation score ranges from 1 to 4, where 1 indicates a clean website, 2 indicates an unknown website, 3 indicates a potentially dangerous website, and 4 indicates a website with malware. To use this feature , you need URL Threat Intelligence Subscription add-on license.

add responder policy swg_proxy_repu-security "http.req.method.ne(\"CONNECT\") &amp;&amp; (HTTP.REQ.HOSTNAME.APPEND(HTTP.REQ.URL).URL_CATEGORIZE(0,0).reputation.ge(3)||HTTP.REQ.URL.URL_CATEGORIZE(0,0).reputation.ge(3))" DROP

bind cs vserver vs-swg-explicit-proxy -policyName swg_proxy_repu-security -priority 12 -gotoPriorityExpression END -type REQUEST

add responder policy swg_proxy_repu-security "http.req.method.ne(\"CONNECT\") && (HTTP.REQ.HOSTNAME.APPEND(HTTP.REQ.URL).URL_CATEGORIZE(0,0).reputation.ge(3)||HTTP.REQ.URL.URL_CATEGORIZE(0,0).reputation.ge(3))" DROP

bind cs vserver vs-swg-explicit-proxy -policyName swg_proxy_repu-security -priority 12 -gotoPriorityExpression END -type REQUEST

Blacklist specific URLs based on Pattern Sets

Using SWG URL Filtering and URL Lists you can control access to specific websites.
When you create a URL List it basically creates a corresponding Responder Policy that you will need to bind to the Proxy vServer.

Create the Pattern Set which we will use to reference websites:

add policy patset url_list_patset_deny

1	add policy patset url_list_patset_deny

Bind a Website to the Pattern Set that needs to be blocked:

bind policy patset url_list_patset_deny websitezyz.com

1	bind policy patset url_list_patset_deny websitezyz.com

Create the Responder Policy to drop the traffic based on Pattern Set:

add responder policy url-list-pol-deny "HTTP.REQ.HOSTNAME.APPEND(HTTP.REQ.URL).CONTAINS_ANY(\"url_list_patset_deny\") || HTTP.REQ.URL.CONTAINS_ANY(\"url_list_patset_deny\")" DROP

1	add responder policy url-list-pol-deny "HTTP.REQ.HOSTNAME.APPEND(HTTP.REQ.URL).CONTAINS_ANY(\"url_list_patset_deny\") \|\| HTTP.REQ.URL.CONTAINS_ANY(\"url_list_patset_deny\")" DROP

Using the SWG Web Gui to configure URL Filtering, will basically create above configuration.

URL Categorization Policies

Use URL Categorizaiton policies to Deny, Allow or Redirect for specific categories. In this example we block websites in the Dating category.

add policy patset url_cat_dating_deny_patset

bind policy patset url_cat_dating_deny_patset Dating -index 1

add responder policy url_cat_dating_deny_url_cat "HTTP.REQ.HOSTNAME.APPEND(HTTP.REQ.URL).URL_CATEGORIZE(0,0).CATEGORY.EQUALS_ANY(\"url_cat_dating_deny_patset\") || HTTP.REQ.URL.URL_CATEGORIZE(0,0).CATEGORY.EQUALS_ANY(\"url_cat_dating_deny_patset\")" DROP

add policy patset url_cat_dating_deny_patset

bind policy patset url_cat_dating_deny_patset Dating -index 1

add responder policy url_cat_dating_deny_url_cat "HTTP.REQ.HOSTNAME.APPEND(HTTP.REQ.URL).URL_CATEGORIZE(0,0).CATEGORY.EQUALS_ANY(\"url_cat_dating_deny_patset\") || HTTP.REQ.URL.URL_CATEGORIZE(0,0).CATEGORY.EQUALS_ANY(\"url_cat_dating_deny_patset\")" DROP

So when i try to access dating.dk as an example, the policy blocks the website access.

Troubleshooting NetScaler Secure Web Gateway

Entries for NetScaler Secure Web Gateway are contained in ns.log under /var/log/ – you will need to turn on the logging first:

set syslogparams -ssli Enabled

1	set syslogparams -ssli Enabled

Them use tail to filter out on SSL Intercept log entries:

tail -f /var/log/ns.log | grep -i "SSLI INTERCEPT_LOG"

1	tail -f /var/log/ns.log \| grep -i "SSLI INTERCEPT_LOG"

set syslogParams -urlFiltering Enabled

1	set syslogParams -urlFiltering Enabled

Them use tail to filter out on URLFilter log entries:

tail -f /var/log/ns.log | grep -i "URLFILT_LOG"

1	tail -f /var/log/ns.log \| grep -i "URLFILT_LOG"

You can also use the following command to troubleshoot SWG:

nsconmsg -d current -g ssli

nsconmsg -d current -g err

nsconmsg -d current -g ssli

nsconmsg -d current -g err

To change how often URL Categorization DB updates occur, you could alter the default setting via CLI:

set urlfiltering parameter [-HoursBetweenDBUpdates &lt;positive_integer&gt;] [-TimeOfDayToUpdateDB &lt;HH:MM&gt;]

1	set urlfiltering parameter [-HoursBetweenDBUpdates <positive_integer>] [-TimeOfDayToUpdateDB <HH:MM>]

Or via GUI (URL Filtering > Change URL Filtering settings) :

Using NMAS to provide user and traffic visibility

NetScaler SWG appliance will need to be added to NMAS, this will enable AppFlow on the SWG appliance:

CLI:

add appflow collector _swg_vs-swg-explicit-proxy_apfw_cl -IPAddress NMAS-IP -port 5557 -Transport logstream

set appflow param -templateRefresh 60 -httpUrl ENABLED -AAAUserName ENABLED -httpReferer ENABLED -httpMethod ENABLED -httpHost ENABLED -httpUserAgent ENABLED -httpContentType ENABLED -httpVia ENABLED -httpLocation ENABLED -httpDomain ENABLED -cacheInsight ENABLED -urlCategory ENABLED

add appflow action _swg_vs-swg-explicit-proxy_apfw_act -collectors _swg_vs-swg-explicit-proxy_apfw_cl -distributionAlgorithm ENABLED

add appflow policy _swg_vs-swg-explicit-proxy_apfw_pol true _swg_vs-swg-explicit-proxy_apfw_act

add appflow collector _swg_vs-swg-explicit-proxy_apfw_cl -IPAddress NMAS-IP -port 5557 -Transport logstream

set appflow param -templateRefresh 60 -httpUrl ENABLED -AAAUserName ENABLED -httpReferer ENABLED -httpMethod ENABLED -httpHost ENABLED -httpUserAgent ENABLED -httpContentType ENABLED -httpVia ENABLED -httpLocation ENABLED -httpDomain ENABLED -cacheInsight ENABLED -urlCategory ENABLED

add appflow action _swg_vs-swg-explicit-proxy_apfw_act -collectors _swg_vs-swg-explicit-proxy_apfw_cl -distributionAlgorithm ENABLED

add appflow policy _swg_vs-swg-explicit-proxy_apfw_pol true _swg_vs-swg-explicit-proxy_apfw_act

Outbound Traffic Dashboard:

Shows the statistics and details on all outbound traffic which runs through SWG.

User Dashboard and Transactions:

Shows User statistics.

Reference Links

How Do I? : NetScaler Secure Web Gateway
https://support.citrix.com/article/CTX224805

FAQ: NetScaler Secure Web Gateway
https://support.citrix.com/article/CTX224785