Monday, August 8, 2016

SSL Offloading Where to do it? in Citrix Storefront 7.6

Good day All,

Welcome back!!!

We are trying to setup SSL for our new Citrix 7.6 farm and we had a  question from our Network guy asking how is password been sent when user types the user name and password on the Citrix URL.
Well  Citrix support was called they kept saying it was clear text so to double confirm it i setup a lab and installed Netmon on the Storefront server.

My Source IP was 192.168.1.5 and my destination Storefront IP was 192.168.1.72 and by delivery controller was 192.168.1.73.

So opened the URL , typed it username and password before i hit enter logged on to the Store front Server and installed the Netmon and started the capture.

Logged into client machine 192.168.1.5 and at Citrix URL login screen hit entered and i was logged in to Citrix and my published app showed up.So i quickly jumped to my storefront and stopped the Netmon.

Microsoft Netmon  is very simple and powerful tool , all you have to do is Click All Traffic you will see it beautifully segregates traffic between 2 hosts..
















Well i high-lighted in yellow, now you know my username and password for my Citrix login.

So i was curious and wanted to check how is password been sent from Storefront to Delivery Controller and my delivery controller IP was 192.168.1.73 and for every one knowledge its is been set at port 80 for communication


















if you see the screen shot Storefront is sending a xml query to delivery controller on port 80 and good thing is password is not been sent as clear text but its been de-crypted .
Well there are tools out there which can help in de-crypting so at least it not clear-text.

So the big question becomes how far we should go to encrypt the traffic?????

1. It depends on how the client is connecting? if external then SSL is a must on for Citrix URL
2.If all Client communication is internal probably we can get away with no SSL
3.Is SSL needed between storefront and delivery controller, it would depend on company to company how far we need to go and how secured you want.. understand there will always be over head associated to it.
4.Most of the companies i have seen is they offload SSL on load balancer either on F5 or Net scalar to avoid over head on the Storefront, that means traffic from Client to F5 or Net Scalar will be 443 and from there it will be port 80 to Storefront.


So testing,testing and more testing how secure and how how fast you need the apps to users will determine how much secure you need it.


before i conclude i added SSL for storefront so now see the communication from user desktop to Storefront.. its all been encrypted on port 443 and Secure..



















Let me know how secure you have implemented in your environment , so until next one you all have good day!!!!!!!!!!!!!!!!!!!!


No comments:

Post a Comment