Protect your web traffic against Internet threats with Citrix NetScaler Secure Web Gateway

In this blog post I will share some of my experiences implementing NetScaler SWG as a Forward Proxy in order to protect and enhance security for your web traffic.

Citrix NetScaler Secure Web Gateway addresses security challenges, by letting organizations control which applications users can access, inspecting ssl encrypted traffic, blocking intrusions and preventing malware.







NetScaler SWG allows organisations to inspect outbound SSL traffic originating from internal users.
NetScaler SWG can be implemented as a Tranparent Proxy, in this scenario clients does not need to be aware of the existence of the proxy. On the network layer SWG works as a gateway that sits between the client and the Internet.

NetScaler SWG can also be implemented in explicit proxy mode, in this scenario you point your clients/browsers to use NetScaler SWG as Proxy either by PAC file or browser configuration (Can be pushed out by Microsoft GPO or DHCP Options e.g.).

Obs. NetScaler 12.0 Build 57.19 introduced ICAP support for Content inspection. ICAP (Internet Content Adaptation Protocol) is a lightweight protocol which is in general used to implement virus scanning and content filters in HTTP Proxies. ICAP uses a cache to proxy all client transactions and process the transactions using ICAP Web servers, which are designed for functions as virus scanning and content filtering. ICAP will not be covered in this blog post.

Using ICAP for remote content inspection





Summary of NetScaler SWG capabilities:

  • NetScaler SWG provides complete visibility into encrypted traffic allows you to inspect, analyse and control web traffic.
  • NetScaler URL Threat Intelligence subscription is an optional feature to SWG, this feature blocks access to millions of phishing and malware websites.
  • NetScaler SWG with NMAS provides User Analytics and Outbound Traffic Analysis.


Use Cases

Use Case: Making Enterprise Internet Access Compliant and Secure

Use case: Making enterprise network secure by using ICAP for remote malware inspection




  • Reduce Business Risk and increase employee productivity by protecting against phishing and malware threats.
  • Enforce company security policies on all outgoing web traffic, while blocking access to inappropriate sites on a per user/group basis.
  • Integrated with subscription based realtime cloud based solution for URL Threat intelligence.
  • Organizations can now have the visibility and control they need over encrypted traffic while ensuring compliance with their privacy, regulatory, and acceptable use policies.
  • Monitor and report on web usage trends, log requests or log only the requests that trigger a risk alert.
  • NetScaler MAS (NMAS) collates and presents user activity.
  • Bypass for trusted communication eg. banking and healthcare applications to meet compliance requirements.


License requirements

SWG is a separate appliance (VPX, MPX or SDX Instance).


  • NetScaler Secure Web Gateway requires its own platform license (minimum requirement for SWG appliance).
  • URL Threat Intelligence feature license. This license is required for use of the URL filtering, URL categorization, and URL reputation score feature.


Configuring NetScaler SWG

In this configuration example I will not use the builtin Wizard for configuring SWG.

The platform I did test on was running NetScaler SWG version 12.0 build 57.19 and NMAS 12.0 build 57.19.



Start with enabling the required features:

  • AAA (Authentication, Authorization and Auditing)
  • SSL Offloading
  • Content Switching
  • Integrated Caching
  • AppFlow
  • Forward Proxy
  • Responder
  • SSL Interception



Certificate Pre-reqs

Following SSL Certificates, should be available prior to configuration:

  • SSL Cert for AAA vServer configured if doing Authentication on Proxy Virtual Server.
  • SSL Cert on Proxy vServer.
  • CA Certificate keypair – if doing SSL Interception of the Client Requests.
    • You could use you internal CA, backup and export the private key from the internal CA and import this as CA Certificate key in SWG. NetScaler SWG will do SSL Interception from this Certificate which should already be trusted in your domain clients local key store.



Configure Proxy Virtual Server

The Proxy Virtual Server will be used as entry point from our Clients. In this scenario we will configure Proxy Virtual Server as Explicit Proxy, and add an Authentication vServer for security and user visibility.

Create Authentication and Proxy vServer:




Create SSL Profile for SSL Interception:



Bind SSL Profile to Proxy Virtual Server:



Bind the Certkey pair to the SSL Profile for interception of the SSL Traffic with this certificate:



Now point your Web browser to use the Proxy Virtual Server created here. On first web site access, the SWG will prompt user for Authentication. This will also allow us to gain user visibility in NMAS and log files.

Configuring SSL Interception policies

At this stage you should also consider whether SSL Interception or bypass should occur for all HTTPS sites, specific category or specific sites only.

Example of SSL Interception policy to Intercept specific sites:



Example of SSL Interception policy to Intercept based on URL Categories:






Configuring SSL Interception policies to bypass specific traffic

In order to bypass SSL Interception for specific traffic.

Create the SSL Interception policy and base either at specific URL Category, Reputation or a Pattern Set.

Set the action to BYPASS.



In this example I choose to base the SSL Interception BYPASS policy on URLs that I define in the pattern set.




Block websites based on reputation score

Control access to malicious websites on the basis of the URL reputation score. The URL reputation score ranges from 1 to 4, where 1 indicates a clean website, 2 indicates an unknown website, 3 indicates a potentially dangerous website, and 4 indicates a website with malware. To use this feature , you need URL Threat Intelligence Subscription add-on license.





Blacklist specific URLs based on Pattern Sets

Using SWG URL Filtering and URL Lists you can control access to specific websites.
When you create a URL List it basically creates a corresponding Responder Policy that you will need to bind to the Proxy vServer.

Create the Pattern Set which we will use to reference websites:



Bind a Website to the Pattern Set that needs to be blocked:



Create the Responder Policy to drop the traffic based on Pattern Set:



Using the SWG Web Gui to configure URL Filtering, will basically create above configuration.


URL Categorization Policies

Use URL Categorizaiton policies to Deny, Allow or Redirect for specific categories. In this example we block websites in the Dating category.


So when i try to access as an example, the policy blocks the website access.



Troubleshooting NetScaler Secure Web Gateway

Entries for NetScaler Secure Web Gateway are contained in ns.log under /var/log/ – you will need to turn on the logging first:


Them use tail to filter out on SSL Intercept log entries:



Them use tail to filter out on URLFilter log entries:


You can also use the following command to troubleshoot SWG:


To change how often URL Categorization DB updates occur, you could alter the default setting via CLI:


Or via GUI (URL Filtering > Change URL Filtering settings) :




Using NMAS to provide user and traffic visibility

NetScaler SWG appliance will need to be added to NMAS, this will enable AppFlow on the SWG appliance:






Outbound Traffic Dashboard:

Shows the statistics and details on all outbound traffic which runs through SWG.




User Dashboard and Transactions:

Shows User statistics.





Reference Links


How Do I? : NetScaler Secure Web Gateway

FAQ: NetScaler Secure Web Gateway

Leave a Reply

Your email address will not be published. Required fields are marked *