In this blog post I will share some of my experiences implementing NetScaler SWG as a Forward Proxy in order to protect and enhance security for your web traffic.
Citrix NetScaler Secure Web Gateway addresses security challenges, by letting organizations control which applications users can access, inspecting ssl encrypted traffic, blocking intrusions and preventing malware.
NetScaler SWG allows organisations to inspect outbound SSL traffic originating from internal users.
NetScaler SWG can be implemented as a Tranparent Proxy, in this scenario clients does not need to be aware of the existence of the proxy. On the network layer SWG works as a gateway that sits between the client and the Internet.
NetScaler SWG can also be implemented in explicit proxy mode, in this scenario you point your clients/browsers to use NetScaler SWG as Proxy either by PAC file or browser configuration (Can be pushed out by Microsoft GPO or DHCP Options e.g.).
Obs. NetScaler 12.0 Build 57.19 introduced ICAP support for Content inspection. ICAP (Internet Content Adaptation Protocol) is a lightweight protocol which is in general used to implement virus scanning and content filters in HTTP Proxies. ICAP uses a cache to proxy all client transactions and process the transactions using ICAP Web servers, which are designed for functions as virus scanning and content filtering. ICAP will not be covered in this blog post.
Using ICAP for remote content inspection
https://docs.citrix.com/en-us/netscaler-secure-web-gateway/12/security-configuration/using-icap-for-remote-content-inspection.html
Summary of NetScaler SWG capabilities:
- NetScaler SWG provides complete visibility into encrypted traffic allows you to inspect, analyse and control web traffic.
- NetScaler URL Threat Intelligence subscription is an optional feature to SWG, this feature blocks access to millions of phishing and malware websites.
- NetScaler SWG with NMAS provides User Analytics and Outbound Traffic Analysis.
Table of Contents
Use Cases
Use Case: Making Enterprise Internet Access Compliant and Secure
Use case: Making enterprise network secure by using ICAP for remote malware inspection
Benefits
- Reduce Business Risk and increase employee productivity by protecting against phishing and malware threats.
- Enforce company security policies on all outgoing web traffic, while blocking access to inappropriate sites on a per user/group basis.
- Integrated with subscription based realtime cloud based solution for URL Threat intelligence.
- Organizations can now have the visibility and control they need over encrypted traffic while ensuring compliance with their privacy, regulatory, and acceptable use policies.
- Monitor and report on web usage trends, log requests or log only the requests that trigger a risk alert.
- NetScaler MAS (NMAS) collates and presents user activity.
- Bypass for trusted communication eg. banking and healthcare applications to meet compliance requirements.
License requirements
SWG is a separate appliance (VPX, MPX or SDX Instance).
- NetScaler Secure Web Gateway requires its own platform license (minimum requirement for SWG appliance).
- URL Threat Intelligence feature license. This license is required for use of the URL filtering, URL categorization, and URL reputation score feature.
Configuring NetScaler SWG
In this configuration example I will not use the builtin Wizard for configuring SWG.
The platform I did test on was running NetScaler SWG version 12.0 build 57.19 and NMAS 12.0 build 57.19.
Features
Start with enabling the required features:
- AAA (Authentication, Authorization and Auditing)
- SSL Offloading
- Content Switching
- Integrated Caching
- AppFlow
- Forward Proxy
- Responder
- SSL Interception
Certificate Pre-reqs
Following SSL Certificates, should be available prior to configuration:
- SSL Cert for AAA vServer configured if doing Authentication on Proxy Virtual Server.
- SSL Cert on Proxy vServer.
- CA Certificate keypair – if doing SSL Interception of the Client Requests.
- You could use you internal CA, backup and export the private key from the internal CA and import this as CA Certificate key in SWG. NetScaler SWG will do SSL Interception from this Certificate which should already be trusted in your domain clients local key store.
Configure Proxy Virtual Server
The Proxy Virtual Server will be used as entry point from our Clients. In this scenario we will configure Proxy Virtual Server as Explicit Proxy, and add an Authentication vServer for security and user visibility.
Create Authentication and Proxy vServer:
1 |
add authentication vserver vs-swg-explicit-proxy_authvs SSL 0.0.0.0 |
1 |
add cs vserver vs-swg-explicit-proxy PROXY x.x.x.x 8888 -cltTimeout 180 -authn401 ON -authnVsName vs-swg-explicit-proxy_authvs |
Create SSL Profile for SSL Interception:
1 |
add ssl profile ssl-proxy-intercept -sessReuse ENABLED -sessTimeout 120 -sslInterception ENABLED |
Bind SSL Profile to Proxy Virtual Server:
1 |
set ssl vserver vs-swg-explicit-proxy -sslProfile ssl-proxy-intercept |
Bind the Certkey pair to the SSL Profile for interception of the SSL Traffic with this certificate:
1 |
bind ssl profile ssl-proxy-intercept -ssliCACertkey internal-AD-CA-keypair |
Now point your Web browser to use the Proxy Virtual Server created here. On first web site access, the SWG will prompt user for Authentication. This will also allow us to gain user visibility in NMAS and log files.
Configuring SSL Interception policies
At this stage you should also consider whether SSL Interception or bypass should occur for all HTTPS sites, specific category or specific sites only.
Example of SSL Interception policy to Intercept specific sites:
Example of SSL Interception policy to Intercept based on URL Categories:
Configuring SSL Interception policies to bypass specific traffic
In order to bypass SSL Interception for specific traffic.
Create the SSL Interception policy and base either at specific URL Category, Reputation or a Pattern Set.
Set the action to BYPASS.
In this example I choose to base the SSL Interception BYPASS policy on URLs that I define in the pattern set.
1 2 3 4 5 6 7 8 |
add policy patset ssl_intercept_pol_bypass bind policy patset ssl_intercept_pol_bypass perforce.com -index 1 bind policy patset ssl_intercept_pol_bypass citrix.com -index 2 add ssl policy ssl_intercept_pol_bypass_ssli -rule "client.ssl.client_hello.SNI.CONTAINS_ANY(\"ssl_intercept_pol_bypass\")" -action BYPASS bind ssl vserver vs-swg-explicit-proxy -policyName ssl_intercept_pol_bypass_ssli -priority 80 -gotoPriorityExpression NEXT -type INTERCEPT_REQ bind ssl vserver vs-swg-explicit-proxy -policyName ssl_intercept_pol_bypass_ssli -priority 80 -gotoPriorityExpression NEXT -type INTERCEPT_REQ |
Block websites based on reputation score
Control access to malicious websites on the basis of the URL reputation score. The URL reputation score ranges from 1 to 4, where 1 indicates a clean website, 2 indicates an unknown website, 3 indicates a potentially dangerous website, and 4 indicates a website with malware. To use this feature , you need URL Threat Intelligence Subscription add-on license.
1 2 3 |
add responder policy swg_proxy_repu-security "http.req.method.ne(\"CONNECT\") && (HTTP.REQ.HOSTNAME.APPEND(HTTP.REQ.URL).URL_CATEGORIZE(0,0).reputation.ge(3)||HTTP.REQ.URL.URL_CATEGORIZE(0,0).reputation.ge(3))" DROP bind cs vserver vs-swg-explicit-proxy -policyName swg_proxy_repu-security -priority 12 -gotoPriorityExpression END -type REQUEST |
Blacklist specific URLs based on Pattern Sets
Using SWG URL Filtering and URL Lists you can control access to specific websites.
When you create a URL List it basically creates a corresponding Responder Policy that you will need to bind to the Proxy vServer.
Create the Pattern Set which we will use to reference websites:
1 |
add policy patset url_list_patset_deny |
Bind a Website to the Pattern Set that needs to be blocked:
1 |
bind policy patset url_list_patset_deny websitezyz.com |
Create the Responder Policy to drop the traffic based on Pattern Set:
1 |
add responder policy url-list-pol-deny "HTTP.REQ.HOSTNAME.APPEND(HTTP.REQ.URL).CONTAINS_ANY(\"url_list_patset_deny\") || HTTP.REQ.URL.CONTAINS_ANY(\"url_list_patset_deny\")" DROP |
Using the SWG Web Gui to configure URL Filtering, will basically create above configuration.
URL Categorization Policies
Use URL Categorizaiton policies to Deny, Allow or Redirect for specific categories. In this example we block websites in the Dating category.
1 2 3 4 5 |
add policy patset url_cat_dating_deny_patset bind policy patset url_cat_dating_deny_patset Dating -index 1 add responder policy url_cat_dating_deny_url_cat "HTTP.REQ.HOSTNAME.APPEND(HTTP.REQ.URL).URL_CATEGORIZE(0,0).CATEGORY.EQUALS_ANY(\"url_cat_dating_deny_patset\") || HTTP.REQ.URL.URL_CATEGORIZE(0,0).CATEGORY.EQUALS_ANY(\"url_cat_dating_deny_patset\")" DROP |
So when i try to access dating.dk as an example, the policy blocks the website access.
Troubleshooting NetScaler Secure Web Gateway
Entries for NetScaler Secure Web Gateway are contained in ns.log under /var/log/ – you will need to turn on the logging first:
1 |
set syslogparams -ssli Enabled |
Them use tail to filter out on SSL Intercept log entries:
1 |
tail -f /var/log/ns.log | grep -i "SSLI INTERCEPT_LOG" |
1 |
set syslogParams -urlFiltering Enabled |
Them use tail to filter out on URLFilter log entries:
1 |
tail -f /var/log/ns.log | grep -i "URLFILT_LOG" |
You can also use the following command to troubleshoot SWG:
1 2 3 |
nsconmsg -d current -g ssli nsconmsg -d current -g err |
To change how often URL Categorization DB updates occur, you could alter the default setting via CLI:
1 |
set urlfiltering parameter [-HoursBetweenDBUpdates <positive_integer>] [-TimeOfDayToUpdateDB <HH:MM>] |
Or via GUI (URL Filtering > Change URL Filtering settings) :
Using NMAS to provide user and traffic visibility
NetScaler SWG appliance will need to be added to NMAS, this will enable AppFlow on the SWG appliance:
CLI:
1 2 3 4 5 6 7 |
add appflow collector _swg_vs-swg-explicit-proxy_apfw_cl -IPAddress NMAS-IP -port 5557 -Transport logstream set appflow param -templateRefresh 60 -httpUrl ENABLED -AAAUserName ENABLED -httpReferer ENABLED -httpMethod ENABLED -httpHost ENABLED -httpUserAgent ENABLED -httpContentType ENABLED -httpVia ENABLED -httpLocation ENABLED -httpDomain ENABLED -cacheInsight ENABLED -urlCategory ENABLED add appflow action _swg_vs-swg-explicit-proxy_apfw_act -collectors _swg_vs-swg-explicit-proxy_apfw_cl -distributionAlgorithm ENABLED add appflow policy _swg_vs-swg-explicit-proxy_apfw_pol true _swg_vs-swg-explicit-proxy_apfw_act |
Outbound Traffic Dashboard:
Shows the statistics and details on all outbound traffic which runs through SWG.
User Dashboard and Transactions:
Shows User statistics.
Reference Links
How Do I? : NetScaler Secure Web Gateway
https://support.citrix.com/article/CTX224805
FAQ: NetScaler Secure Web Gateway
https://support.citrix.com/article/CTX224785