Integrating Citrix ADC, Citrix Secure Web Gateway with Azure Stack Hub

Citrix recently launched full support for Citrix ADC on Azure Stack Hub. With this new integration, organizations can start using Citrix ADC as a proxy along with Azure Stack Hub.

Azure Stack Hub is an extension of Azure that provides a way to run apps in an on-premises environment and deliver Azure services in a customer’s datacenter. From a security perspective, admins may want to control which resources Azure Stack Hub can access. This is where Citrix ADC Secure Web Gateway solution can help, providing an efficient way to control what can be accessed.

In this blog post, we will look at how to integrate Citrix ADC and Citrix Secure Web Gateway with Azure Stack Hub to achieve customers’ security needs.

Citrix ADC Sitting on the Edge

Citrix ADC sits on the edge of the Azure Stack Hub environment, as shown below, controlling which resources can be accessed. It achieves this by using Citrix Secure Web Gateway configuration and Citrix ADC’s rich policy infrastructure.

In Citrix ADC, we configure two vservers of type proxy — one transparent and one explicit. Traffic will hit one of these two vservers from Azure Stack Hub and go out to the internet or intranet.

On the transparent vserver, we create an allow-list, with domain-names or URLs, by using either url-set or policy pattern set (patset) feature. For https traffic, the allow-list will be part of the SSL policy that gets evaluated during the SSL handshake and matches the domain name that’s in the Server Name Identification (SNI) with the configured urlset/patset. Similarly, for http traffic, the allow-list will be part of a responder policy. Domain names present in the http header will be compared against the domain names present in urlset/patset, allow or deny action will be taken based on this policy evaluation outcome.

For the explicit vserver, the requirement is to allow all types of traffic to pass through, so no policies are bound to it. In the next section, we’ll walk through the configuration in detail.

Step-by-Step Configuration for Your Citrix ADC

1. Enable the needed features:
   enable ns feature WL LB CS SSL IC RESPONDER CH ForwardProxy SSLInterception

2. Add DNS nameserver:
   add dns nameServer <DNS-server-IP>

3. Add Subnet IPs for internal and external communication
   1. One SNIP is needed for client-side traffic to reach ADC device.
      add ns ip <IP-1> <Subnet-mask-1> -vServer DISABLED
   2. Another SNIP for NS to reach out to internet.
      add ns ip <IP-2> <Subnet-mask-2> -vServer DISABLED

4. Needed configuration to enable Citrix Secure Web Gateway:
   1. add ssl profile swgprofile -sessReuse ENABLED -sessTimeout 120 -sslInterception ENABLED
   2. add ssl certKey swgca -cert citrix_swg.pfx -key citrix_swg.pfx
   3. bind ssl profile swgprofile -ssliCACertkey swgca
   4. apply certbundle default

5. Microsoft requires an “allow-list” of domain names, and traffic from these domains will be allowed to pass through the Citrix Secure Web Gateway. All other domains must be blocked. There are two approaches to making this allow-list:
   1. Make a policy patset and use it in SSL + Responder (for http traffic) policy:
      1. add policy patset pat1
      2. bind policy patset pat1 abc.com -index 1
      3. bind policy patset pat1 def.com -index 2
      4. And so on (You can keep adding more domain names in pat1.)
   2. Using urlset way:
      1. Create a file with, for example, the name test1 and that has domain names listed in it. Place it in the Citrix ADC (/var/tmp/test1). More details on format of this file are in the link below that explains urlset.
      2. import urlset url1 -url local:test1 -overwrite
      3. add urlset url1
      4. update urlset url1

You can find more information on these two methods in our product documentation. Please note, in this blog post, we use the patset way to explain additional steps. You can do the same with urlset.

6. Add policies that use the above patset.
   1. SSL Policy that will evaluate contents of SNI with patset:add ssl policy pol_patset_bypass -rule “client.ssl.client_hello.SNI.CONTAINS_ANY(\”pat1\”)” -action BYPASSThis policy ensures that any SNI that matches with the contents of pat1 gets bypassed. This policy will be evaluated as soon as we get the clienthello message.
   2. To drop https traffic other than what’s mentioned in pat1, we need to add one more SSL policy:add ssl policy pol_true_reset -rule true -action RESETWe’ll see below that this policy will be bound at a lower priority than the policy mentioned in 6.a.
   3. Responder policy for http traffic:add responder policy resp_patset_match “!HTTP.REQ.HOSTNAME.CONTAINS_ANY(\”pat1\”)” RESETThis policy ensures sure that anything outside of patset gets dropped. This will get evaluated when Citrix Secure Web Gateway gets an http request.

7. Let’s add transparent vserver:add cs vserver vip_transparent PROXY * * -cltTimeout 180 -Listenpolicy “CLIENT.TCP.DSTPORT.EQ(80) || CLIENT.TCP.DSTPORT.EQ(443)” -persistenceType NONEIn this vserver we have also mentioned a listen policy “CLIENT.TCP.DSTPORT.EQ(80) || CLIENT.TCP.DSTPORT.EQ(443)”. This ensures that traffic for http and https hits the vserver; everything else gets bypassed.

8. Bind sslprofile to transparent vserver that enables Citrix Secure Web Gateway on this vserver:set ssl vserver vip_transparent -sslProfile swgprofile

9. Bind the policies that we added above to the transparent vserver:
   1. Policy to accept and bypass domains mentioned in pat1:
      bind ssl vserver vip_transparent -policyName pol_patset_bypass -priority 1 -type INTERCEPT_REQ
   2. Policy to drop everything else that is outside of pat1:
      bind ssl vserver vip_transparent -policyName pol_true_reset -priority 100 -type INTERCEPT_REQ
   3. The two policies above work at the SSL level. For http traffic, we need something that honors the allow-list created in pat1. For this, we will bind responder policy to this vserver:
      bind cs vserver vip_transparent -policyName resp_patset_match -priority 1 -type REQUEST

10. Azure Stack Hub has a requirement where if an explicit proxy is configured, all traffic is allowed. Here are the configuration steps:
    1. Add an explicit proxy vserver:
       add cs vserver vip_explicit PROXY <Proxy-IP> <Proxy-port> -cltTimeout 180 -persistenceType NONE
    2. Enable Citrix Secure Web Gateway on it:
       set ssl vserver vip_explicit -sslProfile swgprofile
    3. Bind a policy that makes sure that everything gets bypassed:add ssl policy pol_true_bypass -rule true -action BYPASSbind ssl vserver vip_explicit -policyName pol_true_bypass -priority 100 -type INTERCEPT_REQ

You can also execute this configuration via the Citrix ADC GUI. Just go to https://<NS-IP> and navigate through Configuration tab → Security → SSL Forward Proxy. The SSL Forward Proxy Wizard template, shown below, provides step-by-step guidance on configuring proxy vservers and associated policies.

For more information on Citrix ADC and Citrix Secure Web Gateway, check out our product documentation.