companies to provide a single remote access point available as for all their users. The user can be output device user or BYOD users a blend of laptop users, mobile users, companies. Some users may need to use additional authentication methods, such as a smart card to access their resources (eg finance dept access sensitive data). Some users want plain simple remote access for Webapps or laboratory environments. Forcing all users would go through the same authentication method, be difficult in this type of mixed groups.
NetScaler gateway, support for SSL renegotiation feature in the current GA version (10.5 to 50.10). SSL renegotiation feature allows a client-server pair perform a new SSL handshake sequence over an existing SSL connection. This function has a very good applications such as providing only access information on a shopping site, if the user decides to buy. This concept is extended to NetScaler gateway where the server (Gateway) decides to only renegotiate when the user tries to access certain resources. As part of the renegotiation gateways will prompt the user to submit to certificate validation and only then the resources will be available.
How SSL renegotiation to use function NetScaler Gateway?
There are certain configurations required for using SSL renegotiation to the Gateway. In the current GA version, so ClientAuth on SSL virtual server settings of Gateway VIP users would be forced to present a valid certificate during login process, though, was set clientcert "optional". It was therefore not possible to allow users, with and without a certificate on the same gateway virtual server.
for calling only renegotiation if necessary, we must disable ClientAuth SSL parameters on the gateway virtual server. The Deny-ssl-renegotiation SSL parameter, it specifies the conditions under which a renegotiation function is allowed should be set to unsecured. One can use the SSL profile to create these settings and set the profile in the Gateway SSL company level. Below is the sample CLI and GUI configurations for the same are given.
Then create a cert action the two-factor authentication on. use a cert policy, bind this action to the gateway virtual server.
The CA certificate bindings and configurations remain the same as they are used to. With this set of configs, users with and without certificate can log on to the same gateway virtual server.
is allowed for the usecase where users access to certain resources, only if he / she has submitted a valid certificate, you can use authorization policies together with over configs. SSL renegotiation after configuring use authorization policy where the rule checks for the existence of the certificate and resource access is available on the backend. If the rule fails (no cert submitted at registration), then fails authorization and fails to access back-end resource.
Another usecase, this configuration is useful to reduce the number certificate prompts during the login process. In previous builds, when configured with WPA cert-based authentication is composed, users receive multiple prompts to select the user certificate. This is because, initiated by several SSL connections browser, EPA plugin and Gateway Plugin. With the above configurations to renegotiate, the user is asked only only during the authentication request (/ cgi / login). Since this requirement is through the browser or in Gateway plugin only once, the certificate selection is prompted only once
CLI
> Add ssl profile ssl-reneg-pro. - ClientAuth DISABLED -denySSLReneg unsecured
Done
> set ssl vserver vpnvs1 -sslProfile ssl-reneg-pro
Done
> certAction CA1 Add -twoFactor ON
Done
> certPolicy CP1 ns_true CA1
Done
> Add authorization policies certauthorize "REQ.SSL.CLIENT.CERT AVAILABLE && REQ.IP.DESTIP == 10.10.10.1" allow
Add Done
>
0 Komentar